diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index 6fa361d6e9..cddcf257b4 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -14968,7 +14968,7 @@ "redirect_document_id": true }, { -"source_path": "windows/hub/windows-10-landing.yml", +"source_path": "windows/windows-10/windows-10-landing.yml", "redirect_url": "/windows/hub/windows-10", "redirect_document_id": true }, diff --git a/.vscode/settings.json b/.vscode/settings.json new file mode 100644 index 0000000000..e7f59d08ec --- /dev/null +++ b/.vscode/settings.json @@ -0,0 +1,7 @@ +{ + "cSpell.words": [ + "kovter", + "kovter's", + "poshspy" + ] +} \ No newline at end of file diff --git a/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-portal.md b/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-portal.md index c6c5cf099e..83ca5233e3 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-portal.md +++ b/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-portal.md @@ -45,8 +45,8 @@ You must download the deployment folder (**EMIEWebPortal/**), which includes all 6. Go back up a directory, open the solution file **EMIEWebPortal.sln** in Visual Studio, open **Web.config** from **EMIEWebPortal/** folder, and replace MSIT-LOB-COMPAT with your server name hosting your database, replace LOBMerged with your database name, and build the entire solution. - >[!Note] - >Step 3 of this topic provides the steps to create your database. + >[!Note] + >Step 3 of this topic provides the steps to create your database. 7. Copy the contents of the **EMIEWebPortal/** folder to a dedicated folder on your file system. For example, _D:\EMIEWebApp_. In a later step, you'll designate this folder as your website in the IIS Manager. diff --git a/devices/hololens/TOC.md b/devices/hololens/TOC.md index 6b1c835350..5d0635344e 100644 --- a/devices/hololens/TOC.md +++ b/devices/hololens/TOC.md @@ -1,17 +1,24 @@ # [Microsoft HoloLens](index.md) -## [What's new in Microsoft HoloLens](hololens-whats-new.md) -## [HoloLens in the enterprise: requirements and FAQ](hololens-requirements.md) -## [Insider preview for Microsoft HoloLens](hololens-insider.md) -## [Set up HoloLens](hololens-setup.md) +# [What's new in HoloLens](hololens-whats-new.md) +# [HoloLens in the enterprise: requirements and FAQ](hololens-requirements.md) +# [Set up HoloLens](hololens-setup.md) + +# Device Management +## [Unlock Windows Holographic for Business features](hololens-upgrade-enterprise.md) ## [Install localized version of HoloLens](hololens-install-localized.md) -## [Unlock Windows Holographic for Business features](hololens-upgrade-enterprise.md) +## [Configure HoloLens using a provisioning package](hololens-provisioning.md) ## [Enroll HoloLens in MDM](hololens-enroll-mdm.md) ## [Manage updates to HoloLens](hololens-updates.md) -## [Set up HoloLens in kiosk mode](hololens-kiosk.md) -## [Share HoloLens with multiple people](hololens-multiple-users.md) -## [Configure HoloLens using a provisioning package](hololens-provisioning.md) -## [Install apps on HoloLens](hololens-install-apps.md) -## [Enable Bitlocker device encryption for HoloLens](hololens-encryption.md) ## [Restore HoloLens 2 using Advanced Recovery Companion](hololens-recovery.md) + +# Application Management +## [Install apps on HoloLens](hololens-install-apps.md) +## [Share HoloLens with multiple people](hololens-multiple-users.md) + +# User/Access Management +## [Set up single application access](hololens-kiosk.md) +## [Enable Bitlocker device encryption for HoloLens](hololens-encryption.md) ## [How HoloLens stores data for spaces](hololens-spaces.md) -## [Change history for Microsoft HoloLens documentation](change-history-hololens.md) \ No newline at end of file + +# [Insider preview for Microsoft HoloLens](hololens-insider.md) +# [Change history for Microsoft HoloLens documentation](change-history-hololens.md) \ No newline at end of file diff --git a/devices/surface-hub/create-a-device-account-using-office-365.md b/devices/surface-hub/create-a-device-account-using-office-365.md index 2d52e698c0..85be497437 100644 --- a/devices/surface-hub/create-a-device-account-using-office-365.md +++ b/devices/surface-hub/create-a-device-account-using-office-365.md @@ -217,6 +217,8 @@ In order to enable Skype for Business, your environment will need to meet the fo ## Create a device account using the Exchange Admin Center +>[!NOTE] +>This method will only work if you are syncing from an on-premises Active Directory. You can use the Exchange Admin Center to create a device account: diff --git a/windows/client-management/advanced-troubleshooting-boot-problems.md b/windows/client-management/advanced-troubleshooting-boot-problems.md index 101ca103bc..b80840d43d 100644 --- a/windows/client-management/advanced-troubleshooting-boot-problems.md +++ b/windows/client-management/advanced-troubleshooting-boot-problems.md @@ -385,6 +385,6 @@ If the dump file shows an error that is related to a driver (for example, window 1. Start WinRE, and open a Command Prompt window. 2. Start a text editor, such as Notepad. - 3. Navigate to C\Windows\System32\Config\. + 3. Navigate to C:\Windows\System32\Config\. 4. Rename the all five hives by appending ".old" to the name. 5. Copy all the hives from the Regback folder, paste them in the Config folder, and then try to start the computer in Normal mode. diff --git a/windows/client-management/mdm/TOC.md b/windows/client-management/mdm/TOC.md index 3e6ae32cb4..54ce71766b 100644 --- a/windows/client-management/mdm/TOC.md +++ b/windows/client-management/mdm/TOC.md @@ -245,6 +245,7 @@ #### [RestrictedGroups](policy-csp-restrictedgroups.md) #### [Search](policy-csp-search.md) #### [Security](policy-csp-security.md) +#### [ServiceControlManager](policy-csp-servicecontrolmanager.md) #### [Settings](policy-csp-settings.md) #### [SmartScreen](policy-csp-smartscreen.md) #### [Speech](policy-csp-speech.md) diff --git a/windows/client-management/mdm/configuration-service-provider-reference.md b/windows/client-management/mdm/configuration-service-provider-reference.md index e90f12b931..b5fe65544d 100644 --- a/windows/client-management/mdm/configuration-service-provider-reference.md +++ b/windows/client-management/mdm/configuration-service-provider-reference.md @@ -941,7 +941,7 @@ Additional lists: Mobile Enterprise - + check mark6 check mark6 check mark6 check mark6 diff --git a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md index 481636bb71..fee32a8f15 100644 --- a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md +++ b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md @@ -35,7 +35,7 @@ The auto-enrollment relies of the presence of an MDM service and the Azure Activ When the auto-enrollment Group Policy is enabled, a task is created in the background that initiates the MDM enrollment. The task will use the existing MDM service configuration from the Azure Active Directory information of the user. If multi-factor authentication is required, the user will get a prompt to complete the authentication. Once the enrollment is configured, the user can check the status in the Settings page. -In Windows 10, version 1709, when the same policy is configured in GP and MDM, the GP policy wins (GP policy is take precedence over MDM). In the future release of Windows 10, we are considering a feature that allows the admin to control which policy takes precedence. +In Windows 10, version 1709, when the same policy is configured in GP and MDM, the GP policy wins (GP policy takes precedence over MDM). Since Windows 10, version 1803, a new setting allows you to change the policy conflict winner to MDM. See [Windows 10 Group Policy vs. Intune MDM Policy who wins?](https://blogs.technet.microsoft.com/cbernier/2018/04/02/windows-10-group-policy-vs-intune-mdm-policy-who-wins/) to learn more. For this policy to work, you must verify that the MDM service provider allows the GP triggered MDM enrollment for domain joined devices. diff --git a/windows/client-management/mdm/esim-enterprise-management.md b/windows/client-management/mdm/esim-enterprise-management.md new file mode 100644 index 0000000000..1fad0a54a6 --- /dev/null +++ b/windows/client-management/mdm/esim-enterprise-management.md @@ -0,0 +1,26 @@ +--- +title: eSIM Enterprise Management +description: Managing eSIM devices in an enterprise +keywords: eSIM enterprise management +ms.prod: w10 +ms.mktglfcycl: +ms.sitesec: library +author: dansimp +ms.localizationpriority: medium +ms.author: dansimp +ms.topic: +--- + +# How Mobile Device Management Providers support eSIM Management on Windows +The eSIM Profile Management Solution puts the Mobile Device Management (MDM) Provider in the front and center. The whole idea is to leverage an already existing solution that customers are familiar with and that they use to manage devices. The expectations from an MDM are that it will leverage the same sync mechanism that it uses for device policies to push any policy to the eSIM profile, and be able to use Groups and Users the same way. This way, the eSIM profile download and installation happens on the background and not impacting the end user. Similarly, the IT admin would use the same method of managing the eSIM profiles (Assignment/de-assignment, etc.) the same way as they currently do device management. + If you are a Mobile Device Management (MDM) Provider and would like to support eSIM Management on Windows, you should do the following: +- Onboard to Azure Active Directory +- Contact mobile operators directly or contact orchestrator providers. Windows provides the capability for eSIM profiles to be managed by MDM providers in the case of enterprise use cases. However, Windows does not limit how ecosystem partners might want to offer this to their own partners and/or customers. As such, the eSIM profile management capability is something that can be supported by integrating with the Window OMA-DM. This makes it possible to remotely manage the eSIM profiles according to the company policies. Contact mobile operators directly or contact orchestrator providers. Windows provides the capability for eSIM profiles to be managed by MDM providers in the case of enterprise use cases. However, Windows does not limit how ecosystem partners might want to offer this to their own partners and/or customers. As such, the eSIM profile management capability is something that can be supported by integrating with the Window OMA-DM. This makes it possible to remotely manage the eSIM profiles according to the company policies. As an MDM provider, if you are looking to integrate/onboard to a mobile operator on a 1:1 basis, please contact them and learn more about their onboarding. If you would like to support multiple mobile operators, [orchestrator providers]( https://www.idemia.com/esim-management-facilitation) are there to act as a proxy that will handle MDM onboarding as well as mobile operator onboarding. Their main [role]( https://www.idemia.com/smart-connect-hub) is to enable the process to be as painless but scalable to all parties. +- Assess solution type that you would like to provide your customers +- Batch/offline solution +- IT Admin can manually import a flat file containing list of eSIM activation codes, and provision eSIM on LTE enabled devices. +- Operator does not have visibility over status of the eSIM profiles and device eSIM has been downloaded and installed to +- Real-time solution +- MDM automatically syncs with the Operator backend system for subscription pool and eSIM management, via sim vendor solution component. IT Admin can view subscription pool and provision eSIM in real time. +- Operator is notified of the status of each eSIM profile and has visibility on which devices are being used +**Note:** The solution type is not noticeable to the end-user. The choice between the two is made between the MDM and the Mobile Operator. diff --git a/windows/client-management/mdm/index.md b/windows/client-management/mdm/index.md index 2fbd4d1bce..facdcc4168 100644 --- a/windows/client-management/mdm/index.md +++ b/windows/client-management/mdm/index.md @@ -5,11 +5,11 @@ MS-HAID: - 'p\_phDeviceMgmt.provisioning\_and\_device\_management' - 'p\_phDeviceMgmt.mobile\_device\_management\_windows\_mdm' ms.assetid: 50ac90a7-713e-4487-9cb9-b6d6fdaa4e5b -ms.author: jdecker +ms.author: dansimp ms.topic: article ms.prod: w10 ms.technology: windows -author: jdeckerms +author: dansimp ms.date: 01/25/2019 --- @@ -41,7 +41,11 @@ The MDM security baseline includes policies that cover the following areas: - Legacy technology policies that offer alternative solutions with modern technology - And much more -For more details about the MDM policies defined in the MDM security baseline and what Microsoft’s recommended baseline policy values are, see [MDM Security baseline (Preview) for Windows 10, version 1809](http://download.microsoft.com/download/2/C/4/2C418EC7-31E0-4A74-8928-6DCD512F9A46/1809-MDM-SecurityBaseLine-Document-[Preview].zip). +For more details about the MDM policies defined in the MDM security baseline and what Microsoft’s recommended baseline policy values are, see: +- [MDM Security baseline for Windows 10, version 1903](http://download.microsoft.com/download/2/C/4/2C418EC7-31E0-4A74-8928-6DCD512F9A46/1903-MDM-SecurityBaseLine-Document.zip) + +- [MDM Security baseline for Windows 10, version 1809](http://download.microsoft.com/download/2/C/4/2C418EC7-31E0-4A74-8928-6DCD512F9A46/1809-MDM-SecurityBaseLine-Document-[Preview].zip) + For information about the MDM policies defined in the Intune security baseline public preview, see [Windows security baseline settings for Intune](https://docs.microsoft.com/en-us/intune/security-baseline-settings-windows) diff --git a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md index 568389f6f7..6fecea0699 100644 --- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md +++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md @@ -115,6 +115,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s
  • [Power/UnattendedSleepTimeoutOnBattery](policy-csp-power.md#power-unattendedsleeptimeoutonbattery)
  • [Power/UnattendedSleepTimeoutPluggedIn](policy-csp-power.md#power-unattendedsleeptimeoutpluggedin)
  • [Search/AllowFindMyFiles](policy-csp-search.md#search-allowfindmyfiles)
    • +
  • [ServiceControlManager/SvchostProcessMitigation](policy-csp-servicecontrolmanager.md#servicecontrolmanager-svchostprocessmitigation)
  • [System/AllowCommercialDataPipeline](policy-csp-system.md#system-allowcommercialdatapipeline)
  • [System/TurnOffFileHistory](policy-csp-system.md#system-turnofffilehistory)
  • [Update/AutomaticMaintenanceWakeUp](policy-csp-update.md#update-automaticmaintenancewakeup)
    • @@ -1868,16 +1869,17 @@ How do I turn if off? | The service can be stopped from the "Services" console o |New or updated topic | Description| |--- | ---| +|[DeviceStatus CSP](devicestatus-csp.md)|Updated description of the following nodes:
    DeviceStatus/Antivirus/SignatureStatus, DeviceStatus/Antispyware/SignatureStatus.| |[EnrollmentStatusTracking CSP](enrollmentstatustracking-csp.md)|Added new CSP in Windows 10, version 1903.| |[Policy CSP - DeliveryOptimization](policy-csp-deliveryoptimization.md)|Added the following new policies:
    DODelayCacheServerFallbackBackground, DODelayCacheServerFallbackForeground.

    Updated description of the following policies:
    DOMinRAMAllowedToPeer, DOMinFileSizeToCache, DOMinDiskSizeAllowedToPeer.| |[Policy CSP - Experience](policy-csp-experience.md)|Added the following new policy:
    ShowLockOnUserTile.| |[Policy CSP - InternetExplorer](policy-csp-internetexplorer.md)|Added the following new policies:
    AllowEnhancedSuggestionsInAddressBar, DisableActiveXVersionListAutoDownload, DisableCompatView, DisableFeedsBackgroundSync, DisableGeolocation, DisableWebAddressAutoComplete, NewTabDefaultPage.| |[Policy CSP - Power](policy-csp-power.md)|Added the following new policies:
    EnergySaverBatteryThresholdOnBattery, EnergySaverBatteryThresholdPluggedIn, SelectLidCloseActionOnBattery, SelectLidCloseActionPluggedIn, SelectPowerButtonActionOnBattery, SelectPowerButtonActionPluggedIn, SelectSleepButtonActionOnBattery, SelectSleepButtonActionPluggedIn, TurnOffHybridSleepOnBattery, TurnOffHybridSleepPluggedIn, UnattendedSleepTimeoutOnBattery, UnattendedSleepTimeoutPluggedIn.| |[Policy CSP - Search](policy-csp-search.md)|Added the following new policy:
    AllowFindMyFiles.| +|[Policy CSP - ServiceControlManager](policy-csp-servicecontrolmanager.md)|Added the following new policy:
    SvchostProcessMitigation.| |[Policy CSP - System](policy-csp-system.md)|Added the following new policies:
    AllowCommercialDataPipeline, TurnOffFileHistory.| |[Policy CSP - Update](policy-csp-update.md)|Added the following new policies:
    AutomaticMaintenanceWakeUp, ConfigureDeadlineForFeatureUpdates, ConfigureDeadlineForQualityUpdates, ConfigureDeadlineGracePeriod, ConfigureDeadlineNoAutoReboot.| |[Policy CSP - WindowsLogon](policy-csp-windowslogon.md)|Added the following new policies:
    AllowAutomaticRestartSignOn, ConfigAutomaticRestartSignOn, EnableFirstLogonAnimation.| -|[DeviceStatus CSP](devicestatus-csp.md)|Updated description of the following nodes:
    DeviceStatus/Antivirus/SignatureStatus, DeviceStatus/Antispyware/SignatureStatus.| ### April 2019 diff --git a/windows/client-management/mdm/passportforwork-csp.md b/windows/client-management/mdm/passportforwork-csp.md index 7bc515edc2..0591f04600 100644 --- a/windows/client-management/mdm/passportforwork-csp.md +++ b/windows/client-management/mdm/passportforwork-csp.md @@ -36,7 +36,7 @@ The following diagram shows the PassportForWork configuration service provider i Root node for PassportForWork configuration service provider. ***TenantId*** -A globally unique identifier (GUID), without curly braces ( { , } ), that is used as part of Windows Hello for Business provisioning and management. +A globally unique identifier (GUID), without curly braces ( { , } ), that is used as part of Windows Hello for Business provisioning and management. To get a GUID, use the PowerShell cmdlet [Get-AzureAccount](https://docs.microsoft.com/powershell/module/servicemanagement/azure/get-azureaccount). For more information see [Get Windows Azure Active Directory Tenant ID in Windows PowerShell](https://devblogs.microsoft.com/scripting/get-windows-azure-active-directory-tenant-id-in-windows-powershell). ***TenantId*/Policies** Node for defining the Windows Hello for Business policy settings. diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index 46a8f4ff4e..d70b2e4c3a 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -3000,6 +3000,13 @@ The following diagram shows the Policy configuration service provider in tree fo +### ServiceControlManager policies +
    +
    + ServiceControlManager/SvchostProcessMitigation +
    +
    + ### Settings policies
    @@ -4219,6 +4226,7 @@ The following diagram shows the Policy configuration service provider in tree fo - [RemoteShell/SpecifyMaxProcesses](./policy-csp-remoteshell.md#remoteshell-specifymaxprocesses) - [RemoteShell/SpecifyMaxRemoteShells](./policy-csp-remoteshell.md#remoteshell-specifymaxremoteshells) - [RemoteShell/SpecifyShellTimeout](./policy-csp-remoteshell.md#remoteshell-specifyshelltimeout) +- [ServiceControlManager/SvchostProcessMitigation](./policy-csp-servicecontrolmanager.md#servicecontrolmanager-svchostprocessmitigation) - [Storage/EnhancedStorageDevices](./policy-csp-storage.md#storage-enhancedstoragedevices) - [System/BootStartDriverInitialization](./policy-csp-system.md#system-bootstartdriverinitialization) - [System/DisableSystemRestore](./policy-csp-system.md#system-disablesystemrestore) @@ -4963,6 +4971,7 @@ The following diagram shows the Policy configuration service provider in tree fo - [Search/PreventIndexingLowDiskSpaceMB](./policy-csp-search.md#search-preventindexinglowdiskspacemb) - [Search/PreventRemoteQueries](./policy-csp-search.md#search-preventremotequeries) - [Security/ClearTPMIfNotReady](./policy-csp-security.md#security-cleartpmifnotready) +- [ServiceControlManager/SvchostProcessMitigation](./policy-csp-servicecontrolmanager.md#servicecontrolmanager-svchostprocessmitigation) - [Settings/AllowOnlineTips](./policy-csp-settings.md#settings-allowonlinetips) - [Settings/ConfigureTaskbarCalendar](./policy-csp-settings.md#settings-configuretaskbarcalendar) - [Settings/PageVisibilityList](./policy-csp-settings.md#settings-pagevisibilitylist) diff --git a/windows/client-management/mdm/policy-csp-servicecontrolmanager.md b/windows/client-management/mdm/policy-csp-servicecontrolmanager.md new file mode 100644 index 0000000000..18c9500905 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-servicecontrolmanager.md @@ -0,0 +1,112 @@ +--- +title: Policy CSP - ServiceControlManager +description: Policy CSP - ServiceControlManager +ms.author: Heidi.Lohr +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: Heidilohr +ms.date: 05/21/2019 +--- + +# Policy CSP - ServiceControlManager + + +
    + + +## ServiceControlManager policies + +
    +
    + ServiceControlManager/SvchostProcessMitigation +
    +
    + +
    + + +**ServiceControlManager/SvchostProcessMitigation** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    cross markcross markcheck mark6check mark6check mark6
    + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +This policy setting enables process mitigation options on svchost.exe processes. + +If you enable this policy setting, built-in system services hosted in svchost.exe processes will have stricter security policies enabled on them. + +This includes a policy requiring all binaries loaded in these processes to be signed by Microsoft, as well as a policy disallowing dynamically-generated code. + +If you disable or do not configure this policy setting, the stricter security settings will not be applied. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Enable svchost.exe mitigation options* +- GP name: *SvchostProcessMitigationEnable* +- GP path: *System/Service Control Manager Settings/Security Settings* +- GP ADMX file name: *ServiceControlManager.admx* + + + +Supported values: +- disabled - Do not add ACG/CIG enforcement and other process mitigation/code integrity policies to SVCHOST processes. +- enabled - Add ACG/CIG enforcement and other process mitigation/code integrity policies to SVCHOST processes. + + + + + + + + + + + +
    + +Footnotes: + +- 1 - Added in Windows 10, version 1607. +- 2 - Added in Windows 10, version 1703. +- 3 - Added in Windows 10, version 1709. +- 4 - Added in Windows 10, version 1803. +- 5 - Added in Windows 10, version 1809. +- 6 - Added in Windows 10, version 1903. \ No newline at end of file diff --git a/windows/client-management/new-policies-for-windows-10.md b/windows/client-management/new-policies-for-windows-10.md index 7d77e94d7d..6efbed9a1f 100644 --- a/windows/client-management/new-policies-for-windows-10.md +++ b/windows/client-management/new-policies-for-windows-10.md @@ -254,6 +254,7 @@ No new [Exchange ActiveSync policies](https://go.microsoft.com/fwlink/p/?LinkId= ## Related topics +[Group Policy Settings Reference Spreadsheet Windows 1803](https://www.microsoft.com/download/details.aspx?id=56946) [Manage corporate devices](manage-corporate-devices.md) diff --git a/windows/configuration/customize-and-export-start-layout.md b/windows/configuration/customize-and-export-start-layout.md index 1232a8f3f0..8b6e9832e9 100644 --- a/windows/configuration/customize-and-export-start-layout.md +++ b/windows/configuration/customize-and-export-start-layout.md @@ -83,7 +83,7 @@ To prepare a Start layout for export, you simply customize the Start layout on a ## Export the Start layout -When you have the Start layout that you want your users to see, use the [Export-StartLayout](https://docs.microsoft.com/powershell/module/startlayout/export-startlayout?view=win10-ps) cmdlet in Windows PowerShell to export the Start layout to an .xml file. +When you have the Start layout that you want your users to see, use the [Export-StartLayout](https://docs.microsoft.com/powershell/module/startlayout/export-startlayout?view=win10-ps) cmdlet in Windows PowerShell to export the Start layout to an .xml file. Start layout is located by default at C:\Users\username\AppData\Local\Microsoft\Windows\Shell\ >[!IMPORTANT] >If you include secondary Microsoft Edge tiles (tiles that link to specific websites in Microsoft Edge), see [Add custom images to Microsoft Edge secondary tiles](start-secondary-tiles.md) for instructions. @@ -155,6 +155,8 @@ When you have the Start layout that you want your users to see, use the [Export- >* If you place executable files or scripts in the \ProgramData\Microsoft\Windows\Start Menu\Programs folder, they will not pin to Start. > >* Start on Windows 10 does not support subfolders. We only support one folder. For example, \ProgramData\Microsoft\Windows\Start Menu\Programs\Folder. If you go any deeper than one folder, Start will compress the contents of all the subfolder to the top level. +> +>* Three additional shortcuts are pinned to the start menu after the export. These are shortcuts to %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs, %APPDATA%\Microsoft\Windows\Start Menu\Programs, and %APPDATA%\Microsoft\Windows\Start Menu\Programs\System Tools\. ## Configure a partial Start layout diff --git a/windows/deployment/deploy-whats-new.md b/windows/deployment/deploy-whats-new.md index 3b74f5101f..7ca878471d 100644 --- a/windows/deployment/deploy-whats-new.md +++ b/windows/deployment/deploy-whats-new.md @@ -26,9 +26,9 @@ This topic provides an overview of new solutions and online content related to d ## Recent additions to this page [SetupDiag](#setupdiag) 1.4.1 is released.
    -[MDT](#microsoft-deployment-toolkit-mdt) 8456 is released.
    +The [Windows ADK for Windows 10, version 1903](https://docs.microsoft.com/en-us/windows-hardware/get-started/adk-install) is available.
    New [Windows Autopilot](#windows-autopilot) content is available.
    -The [Microsoft 365](#microsoft-365) section was added. +[Windows 10 Subscription Activation](#windows-10-subscription-activation) now supports Windows 10 Education. ## The Modern Desktop Deployment Center @@ -45,7 +45,16 @@ See [Deploy Windows 10 with Microsoft 365](deploy-m365.md) for an overview, whic ## Windows 10 servicing and support -Microsoft is [extending support](https://www.microsoft.com/microsoft-365/blog/2018/09/06/helping-customers-shift-to-a-modern-desktop) for Windows 10 Enterprise and Windows 10 Education editions to 30 months from the version release date. This includes all past versions and future versions that are targeted for release in September (versions ending in 09, ex: 1809). Future releases that are targeted for release in March (versions ending in 03, ex: 1903) will continue to be supported for 18 months from their release date. All releases of Windows 10 Home, Windows 10 Pro, and Office 365 ProPlus will continue to be supported for 18 months (there is no change for these editions). These support policies are summarized in the table below. +- [**Delivery Optimization**](https://docs.microsoft.com/windows/deployment/update/waas-delivery-optimization): Improved Peer Efficiency for enterprises and educational institutions with complex networks is enabled with of [new policies](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deliveryoptimization). This now supports Office 365 ProPlus updates, and Intune content, with System Center Configuration Manager content coming soon! +- [**Automatic Restart Sign-on (ARSO)**](https://docs.microsoft.com/en-us/windows-insider/at-work-pro/wip-4-biz-whats-new#automatic-restart-and-sign-on-arso-for-enterprises-build-18305): Windows will automatically logon as the user and lock their device in order to complete the update, ensuring that when the user returns and unlocks the device, the update will be completed. +- [**Windows Update for Business**](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-Update-for-Business-and-the-retirement-of-SAC-T/ba-p/339523): There will now be a single, common start date for phased deployments (no more SAC-T designation). In addition, there will a new notification and reboot scheduling experience for end users, the ability to enforce update installation and reboot deadlines, and the ability to provide end user control over reboots for a specific time period. +- **Update rollback improvements**: You can now automatically recover from startup failures by removing updates if the startup failure was introduced after the installation of recent driver or quality updates. When a device is unable to start up properly after the recent installation of Quality of driver updates, Windows will now automatically uninstall the updates to get the device back up and running normally. +- **Pause updates**: We have extended the ability to pause updates for both feature and monthly updates. This extension ability is for all editions of Windows 10, including Home. You can pause both feature and monthly updates for up to 35 days (seven days at a time, up to five times). Once the 35-day pause period is reached, you will need to update your device before pausing again. +- **Improved update notifications**: When there’s an update requiring you to restart your device, you’ll see a colored dot on the Power button in the Start menu and on the Windows icon in your taskbar. +- **Intelligent active hours**: To further enhance active hours, users will now have the option to let Windows Update intelligently adjust active hours based on their device-specific usage patterns. You must enable the intelligent active hours feature for the system to predict device-specific usage patterns. +- **Improved update orchestration to improve system responsiveness**: This feature will improve system performance by intelligently coordinating Windows updates and Microsoft Store updates, so they occur when users are away from their devices to minimize disruptions. + +Microsoft previously announced that we are [extending support](https://www.microsoft.com/microsoft-365/blog/2018/09/06/helping-customers-shift-to-a-modern-desktop) for Windows 10 Enterprise and Windows 10 Education editions to 30 months from the version release date. This includes all past versions and future versions that are targeted for release in September (versions ending in 09, ex: 1809). Future releases that are targeted for release in March (versions ending in 03, ex: 1903) will continue to be supported for 18 months from their release date. All releases of Windows 10 Home, Windows 10 Pro, and Office 365 ProPlus will continue to be supported for 18 months (there is no change for these editions). These support policies are summarized in the table below. ![Support lifecycle](images/support-cycle.png) @@ -62,11 +71,21 @@ For more information, see [Windows 10 Enterprise E3 in CSP](windows-10-enterpris ### Windows Autopilot -Windows Autopilot streamlines and automates the process of setting up and configuring new devices, with minimal interaction required from the end user. You can also use Windows Autopilot to reset, repurpose and recover devices. +[Windows Autopilot](https://docs.microsoft.com/windows/deployment/windows-autopilot/windows-autopilot) streamlines and automates the process of setting up and configuring new devices, with minimal interaction required from the end user. You can also use Windows Autopilot to reset, repurpose and recover devices. -Windows Autopilot joins devices to Azure Active Directory (Azure AD), optionally enrolls into MDM services, configures security policies, and sets a custom out-of-box-experience (OOBE) for the end user. For more information, see [Overview of Windows Autopilot](windows-autopilot/windows-autopilot.md). +The following Windows Autopilot features are available in Windows 10, version 1903 and later: -Recent Autopilot content includes new instructions for CSPs and OEMs on how to [obtain and use customer authorization](windows-autopilot/registration-auth.md) to register Windows Autopilot devices on the customer’s behalf. +- [Windows Autopilot for white glove deployment](https://docs.microsoft.com/windows/deployment/windows-autopilot/white-glove) is new in Windows 10, version 1903. "White glove" deployment enables partners or IT staff to pre-provision devices so they are fully configured and business ready for your users. +- The Intune [enrollment status page](https://docs.microsoft.com/intune/windows-enrollment-status) (ESP) now tracks Intune Management Extensions​. +- [Cortana voiceover](https://docs.microsoft.com/windows-hardware/customize/desktop/cortana-voice-support) and speech recognition during OOBE is disabled by default for all Windows 10 Pro Education, and Enterprise SKUs. +- Windows Autopilot is self-updating during OOBE. Starting with the Windows 10, version 1903 Autopilot functional and critical updates will begin downloading automatically during OOBE. +- Windows Autopilot will set the [diagnostics data](https://docs.microsoft.com/windows/privacy/windows-diagnostic-data) level to Full on Windows 10 version 1903 and later during OOBE. + +### Windows 10 Subscription Activation + +Windows 10 Education support has been added to Windows 10 Subscription Activation. + +With Windows 10, version 1903, you can step-up from Windows 10 Pro Education to the enterprise-grade edition for educational institutions – Windows 10 Education. For more information, see [Windows 10 Subscription Activation](https://docs.microsoft.com/en-us/windows/deployment/windows-10-subscription-activation). ### SetupDiag diff --git a/windows/deployment/deploy-windows-sccm/add-a-windows-10-operating-system-image-using-configuration-manager.md b/windows/deployment/deploy-windows-sccm/add-a-windows-10-operating-system-image-using-configuration-manager.md index 9935a8a53c..4581484ae3 100644 --- a/windows/deployment/deploy-windows-sccm/add-a-windows-10-operating-system-image-using-configuration-manager.md +++ b/windows/deployment/deploy-windows-sccm/add-a-windows-10-operating-system-image-using-configuration-manager.md @@ -7,8 +7,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.localizationpriority: medium ms.sitesec: library -author: mtniehaus -ms.date: 07/27/2017 +author: greg-lindsay ms.topic: article --- diff --git a/windows/deployment/deploy-windows-sccm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md b/windows/deployment/deploy-windows-sccm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md index e5da6f79dd..c8324e1658 100644 --- a/windows/deployment/deploy-windows-sccm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md +++ b/windows/deployment/deploy-windows-sccm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md @@ -7,8 +7,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.localizationpriority: medium ms.sitesec: library -author: mtniehaus -ms.date: 07/27/2017 +author: greg-lindsay ms.topic: article --- diff --git a/windows/deployment/deploy-windows-sccm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md b/windows/deployment/deploy-windows-sccm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md index 96d8d3f119..b925e01e72 100644 --- a/windows/deployment/deploy-windows-sccm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md +++ b/windows/deployment/deploy-windows-sccm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md @@ -7,8 +7,7 @@ ms.prod: w10 ms.localizationpriority: medium ms.mktglfcycl: deploy ms.sitesec: library -author: mtniehaus -ms.date: 07/27/2017 +author: greg-lindsay ms.topic: article --- diff --git a/windows/deployment/deploy-windows-sccm/deploy-windows-10-using-pxe-and-configuration-manager.md b/windows/deployment/deploy-windows-sccm/deploy-windows-10-using-pxe-and-configuration-manager.md index d06a6f7dc7..6e4fefc40a 100644 --- a/windows/deployment/deploy-windows-sccm/deploy-windows-10-using-pxe-and-configuration-manager.md +++ b/windows/deployment/deploy-windows-sccm/deploy-windows-10-using-pxe-and-configuration-manager.md @@ -7,8 +7,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.localizationpriority: medium ms.sitesec: library -author: mtniehaus -ms.date: 07/27/2017 +author: greg-lindsay ms.topic: article --- diff --git a/windows/deployment/deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md b/windows/deployment/deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md index 936611965a..bedd7988b2 100644 --- a/windows/deployment/deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md +++ b/windows/deployment/deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md @@ -7,8 +7,7 @@ ms.prod: w10 ms.localizationpriority: medium ms.mktglfcycl: deploy ms.sitesec: library -author: mtniehaus -ms.date: 07/27/2017 +author: greg-lindsay ms.topic: article --- diff --git a/windows/deployment/deploy-windows-sccm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md b/windows/deployment/deploy-windows-sccm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md index 5765cc0355..2b616d34ce 100644 --- a/windows/deployment/deploy-windows-sccm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md +++ b/windows/deployment/deploy-windows-sccm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md @@ -7,8 +7,7 @@ ms.prod: w10 ms.localizationpriority: medium ms.mktglfcycl: deploy ms.sitesec: library -author: mtniehaus -ms.date: 07/27/2017 +author: greg-lindsay ms.topic: article --- diff --git a/windows/deployment/deploy-windows-sccm/monitor-windows-10-deployment-with-configuration-manager.md b/windows/deployment/deploy-windows-sccm/monitor-windows-10-deployment-with-configuration-manager.md index b0878d4298..c025496608 100644 --- a/windows/deployment/deploy-windows-sccm/monitor-windows-10-deployment-with-configuration-manager.md +++ b/windows/deployment/deploy-windows-sccm/monitor-windows-10-deployment-with-configuration-manager.md @@ -7,8 +7,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.localizationpriority: medium ms.sitesec: library -author: mtniehaus -ms.date: 07/27/2017 +author: greg-lindsay ms.topic: article --- diff --git a/windows/deployment/deploy-windows-sccm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md b/windows/deployment/deploy-windows-sccm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md index 05a4969529..9cbc4421c2 100644 --- a/windows/deployment/deploy-windows-sccm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md +++ b/windows/deployment/deploy-windows-sccm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md @@ -7,8 +7,7 @@ ms.prod: w10 ms.localizationpriority: medium ms.mktglfcycl: deploy ms.sitesec: library -author: mtniehaus -ms.date: 07/27/2017 +author: greg-lindsay ms.topic: article --- diff --git a/windows/deployment/deploy-windows-sccm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md b/windows/deployment/deploy-windows-sccm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md index 1585e2bf48..248bf84a0d 100644 --- a/windows/deployment/deploy-windows-sccm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md +++ b/windows/deployment/deploy-windows-sccm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md @@ -7,8 +7,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.localizationpriority: medium ms.sitesec: library -author: mtniehaus -ms.date: 07/27/2017 +author: greg-lindsay ms.topic: article --- diff --git a/windows/deployment/deploy-windows-sccm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md b/windows/deployment/deploy-windows-sccm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md index 93e54633fa..b8be3c7760 100644 --- a/windows/deployment/deploy-windows-sccm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md +++ b/windows/deployment/deploy-windows-sccm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md @@ -7,8 +7,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.localizationpriority: medium ms.sitesec: library -author: mtniehaus -ms.date: 07/27/2017 +author: greg-lindsay ms.topic: article --- diff --git a/windows/deployment/deploy-windows-to-go.md b/windows/deployment/deploy-windows-to-go.md index 2942c63221..330e74a778 100644 --- a/windows/deployment/deploy-windows-to-go.md +++ b/windows/deployment/deploy-windows-to-go.md @@ -7,8 +7,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: mobility -author: mtniehaus -ms.date: 04/19/2017 +author: greg-lindsay ms.topic: article --- @@ -21,8 +20,8 @@ ms.topic: article This topic helps you to deploy Windows To Go in your organization. Before you begin deployment, make sure that you have reviewed the topics [Windows To Go: feature overview](planning/windows-to-go-overview.md) and [Prepare your organization for Windows To Go](planning/prepare-your-organization-for-windows-to-go.md) to ensure that you have the correct hardware and are prepared to complete the deployment. You can then use the steps in this topic to start your Windows To Go deployment. ->[!NOTE] ->This topic includes sample Windows PowerShell cmdlets that you can use to automate some of the procedures described. For more information, see [Using Cmdlets](https://go.microsoft.com/fwlink/p/?linkid=230693). +>[!IMPORTANT] +>Windows To Go is no longer being developed. The feature does not support feature updates and therefore does not enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs. ## Deployment tips diff --git a/windows/deployment/planning/best-practice-recommendations-for-windows-to-go.md b/windows/deployment/planning/best-practice-recommendations-for-windows-to-go.md index aece2d16f5..8d88d7e3ab 100644 --- a/windows/deployment/planning/best-practice-recommendations-for-windows-to-go.md +++ b/windows/deployment/planning/best-practice-recommendations-for-windows-to-go.md @@ -7,8 +7,7 @@ ms.prod: w10 ms.mktglfcycl: plan ms.pagetype: mobility ms.sitesec: library -author: mtniehaus -ms.date: 04/19/2017 +author: greg-lindsay ms.topic: article --- @@ -19,18 +18,16 @@ ms.topic: article - Windows 10 +>[!IMPORTANT] +>Windows To Go is no longer being developed. The feature does not support feature updates and therefore does not enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs. + The following are the best practice recommendations for using Windows To Go: - Always shut down Windows and wait for shutdown to complete before removing the Windows To Go drive. - - Do not insert the Windows To Go drive into a running computer. - - Do not boot the Windows To Go drive from a USB hub. Always insert the Windows To Go drive directly into a port on the computer. - - If available, use a USB 3.0 port with Windows To Go. - - Do not install non-Microsoft core USB drivers on Windows To Go. - - Suspend BitLocker on Windows host computers before changing the BIOS settings to boot from USB and then resume BitLocker protection. Additionally, we recommend that when you plan your deployment you should also plan a standard operating procedure for answering questions about which USB drives can be used for Windows To Go and how to enable booting from USB to assist your IT department or help desk in supporting users and work groups that want to use Windows To Go. It may be very helpful for your organization to work with your hardware vendors to create an IT standard for USB drives for use with Windows To Go, so that if groups within your organization want to purchase drives they can quickly determine which ones they should obtain. @@ -38,15 +35,11 @@ Additionally, we recommend that when you plan your deployment you should also pl ## More information -[Windows To Go: feature overview](windows-to-go-overview.md) - -[Prepare your organization for Windows To Go](prepare-your-organization-for-windows-to-go.md) - -[Deployment considerations for Windows To Go](deployment-considerations-for-windows-to-go.md) - -[Security and data protection considerations for Windows To Go](security-and-data-protection-considerations-for-windows-to-go.md) - -[Windows To Go: frequently asked questions](windows-to-go-frequently-asked-questions.md) +[Windows To Go: feature overview](windows-to-go-overview.md)
    +[Prepare your organization for Windows To Go](prepare-your-organization-for-windows-to-go.md)
    +[Deployment considerations for Windows To Go](deployment-considerations-for-windows-to-go.md)
    +[Security and data protection considerations for Windows To Go](security-and-data-protection-considerations-for-windows-to-go.md)
    +[Windows To Go: frequently asked questions](windows-to-go-frequently-asked-questions.md)
      diff --git a/windows/deployment/planning/deployment-considerations-for-windows-to-go.md b/windows/deployment/planning/deployment-considerations-for-windows-to-go.md index 9730a3defb..ebc102b50f 100644 --- a/windows/deployment/planning/deployment-considerations-for-windows-to-go.md +++ b/windows/deployment/planning/deployment-considerations-for-windows-to-go.md @@ -7,8 +7,7 @@ ms.prod: w10 ms.mktglfcycl: plan ms.pagetype: mobility ms.sitesec: library -author: mtniehaus -ms.date: 04/19/2017 +author: greg-lindsay ms.topic: article --- @@ -19,6 +18,9 @@ ms.topic: article - Windows 10 +>[!IMPORTANT] +>Windows To Go is no longer being developed. The feature does not support feature updates and therefore does not enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs. + From the start, Windows To Go was designed to minimize differences between the user experience of working on a laptop and Windows To Go booted from a USB drive. Given that Windows To Go was designed as an enterprise solution, extra consideration was given to the deployment workflows that enterprises already have in place. Additionally, there has been a focus on minimizing the number of differences in deployment between Windows To Go workspaces and laptop PCs. **Note**   diff --git a/windows/deployment/planning/prepare-your-organization-for-windows-to-go.md b/windows/deployment/planning/prepare-your-organization-for-windows-to-go.md index d93629a7ea..c24f35b612 100644 --- a/windows/deployment/planning/prepare-your-organization-for-windows-to-go.md +++ b/windows/deployment/planning/prepare-your-organization-for-windows-to-go.md @@ -7,8 +7,7 @@ ms.prod: w10 ms.mktglfcycl: plan ms.pagetype: mobility ms.sitesec: library -author: mtniehaus -ms.date: 04/19/2017 +author: greg-lindsay ms.topic: article --- @@ -19,6 +18,9 @@ ms.topic: article - Windows 10 +>[!IMPORTANT] +>Windows To Go is no longer being developed. The feature does not support feature updates and therefore does not enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs. + The following information is provided to help you plan and design a new deployment of a Windows To Go in your production environment. It provides answers to the “what”, “why”, and “when” questions an IT professional might have when planning to deploy Windows To Go. ## What is Windows To Go? @@ -29,13 +31,9 @@ Windows To Go is a feature of Windows 10 Enterprise and Windows 10 Education t Enterprise customers utilizing Volume Activation Windows licensing will be able to deploy USB drives provisioned with Windows To Go workspace. These drives will be bootable on multiple compatible host computers. Compatible host computers are computers that are: - USB boot capable - - Have USB boot enabled in the firmware - - Meet Windows 7 minimum system requirements - - Have compatible processor architectures (for example, x86 or AMD64) as the image used to create the Windows To Go workspace. ARM is not a supported processor for Windows To Go. - - Have firmware architecture that is compatible with the architecture of the image used for the Windows To Go workspace Booting a Windows To Go workspace requires no specific software on the host computer. PCs certified for Windows 7 and later can host Windows To Go. diff --git a/windows/deployment/planning/security-and-data-protection-considerations-for-windows-to-go.md b/windows/deployment/planning/security-and-data-protection-considerations-for-windows-to-go.md index 683018e1d1..46b875752d 100644 --- a/windows/deployment/planning/security-and-data-protection-considerations-for-windows-to-go.md +++ b/windows/deployment/planning/security-and-data-protection-considerations-for-windows-to-go.md @@ -7,8 +7,7 @@ ms.prod: w10 ms.mktglfcycl: plan ms.pagetype: mobility, security ms.sitesec: library -author: mtniehaus -ms.date: 04/19/2017 +author: greg-lindsay ms.topic: article --- @@ -19,6 +18,9 @@ ms.topic: article - Windows 10 +>[!IMPORTANT] +>Windows To Go is no longer being developed. The feature does not support feature updates and therefore does not enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs. + One of the most important requirements to consider when you plan your Windows To Go deployment is to ensure that the data, content, and resources you work with in the Windows To Go workspace is protected and secure. ## Backup and restore diff --git a/windows/deployment/planning/windows-10-compatibility.md b/windows/deployment/planning/windows-10-compatibility.md index 1fe897263a..d93e7a14a8 100644 --- a/windows/deployment/planning/windows-10-compatibility.md +++ b/windows/deployment/planning/windows-10-compatibility.md @@ -8,8 +8,7 @@ ms.mktglfcycl: plan ms.pagetype: appcompat ms.localizationpriority: medium ms.sitesec: library -author: mtniehaus -ms.date: 07/27/2017 +author: greg-lindsay ms.topic: article --- diff --git a/windows/deployment/planning/windows-10-deployment-considerations.md b/windows/deployment/planning/windows-10-deployment-considerations.md index 99f0aa2457..6537ed94e3 100644 --- a/windows/deployment/planning/windows-10-deployment-considerations.md +++ b/windows/deployment/planning/windows-10-deployment-considerations.md @@ -7,8 +7,7 @@ ms.prod: w10 ms.localizationpriority: medium ms.mktglfcycl: plan ms.sitesec: library -author: mtniehaus -ms.date: 07/27/2017 +author: greg-lindsay ms.topic: article --- diff --git a/windows/deployment/planning/windows-10-infrastructure-requirements.md b/windows/deployment/planning/windows-10-infrastructure-requirements.md index f1a6b4ae5c..6633bec7a7 100644 --- a/windows/deployment/planning/windows-10-infrastructure-requirements.md +++ b/windows/deployment/planning/windows-10-infrastructure-requirements.md @@ -7,8 +7,7 @@ ms.prod: w10 ms.mktglfcycl: plan ms.localizationpriority: medium ms.sitesec: library -author: mtniehaus -ms.date: 07/27/2017 +author: greg-lindsay ms.topic: article --- diff --git a/windows/deployment/planning/windows-to-go-frequently-asked-questions.md b/windows/deployment/planning/windows-to-go-frequently-asked-questions.md index 235406b45a..bef1ea2050 100644 --- a/windows/deployment/planning/windows-to-go-frequently-asked-questions.md +++ b/windows/deployment/planning/windows-to-go-frequently-asked-questions.md @@ -7,8 +7,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.pagetype: mobility ms.sitesec: library -author: mtniehaus -ms.date: 04/19/2017 +author: greg-lindsay ms.topic: article --- @@ -19,6 +18,9 @@ ms.topic: article - Windows 10 +>[!IMPORTANT] +>Windows To Go is no longer being developed. The feature does not support feature updates and therefore does not enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs. + The following list identifies some commonly asked questions about Windows To Go. - [What is Windows To Go?](#wtg-faq-whatis) diff --git a/windows/deployment/planning/windows-to-go-overview.md b/windows/deployment/planning/windows-to-go-overview.md index ca27c8a82f..559c88d658 100644 --- a/windows/deployment/planning/windows-to-go-overview.md +++ b/windows/deployment/planning/windows-to-go-overview.md @@ -7,8 +7,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.pagetype: mobility, edu ms.sitesec: library -author: mtniehaus -ms.date: 04/19/2017 +author: greglin ms.topic: article --- @@ -19,16 +18,16 @@ ms.topic: article - Windows 10 +>[!IMPORTANT] +>Windows To Go is no longer being developed. The feature does not support feature updates and therefore does not enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs. + Windows To Go is a feature in Windows 10 Enterprise and Windows 10 Education that enables the creation of a Windows To Go workspace that can be booted from a USB-connected external drive on PCs. PCs that meet the Windows 7 or later [certification requirements](https://go.microsoft.com/fwlink/p/?LinkId=618711) can run Windows 10 in a Windows To Go workspace, regardless of the operating system running on the PC. Windows To Go workspaces can use the same image enterprises use for their desktops and laptops and can be managed the same way. Windows To Go is not intended to replace desktops, laptops or supplant other mobility offerings. Rather, it provides support for efficient use of resources for alternative workplace scenarios. There are some additional considerations that you should keep in mind before you start to use Windows To Go: - [Differences between Windows To Go and a typical installation of Windows](#bkmk-wtgdif) - - [Roaming with Windows To Go](#bkmk-wtgroam) - - [Prepare for Windows To Go](#wtg-prep-intro) - - [Hardware considerations for Windows To Go](#wtg-hardware) **Note**   diff --git a/windows/deployment/update/waas-delivery-optimization-reference.md b/windows/deployment/update/waas-delivery-optimization-reference.md index 7fbacf8aee..100f99d74c 100644 --- a/windows/deployment/update/waas-delivery-optimization-reference.md +++ b/windows/deployment/update/waas-delivery-optimization-reference.md @@ -5,9 +5,9 @@ keywords: oms, operations management suite, wdav, updates, downloads, log analyt ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: greg-lindsay +author: jaimeo ms.localizationpriority: medium -ms.author: greglin +ms.author: jaimeo ms.collection: M365-modern-desktop ms.topic: article --- @@ -59,6 +59,8 @@ In MDM, the same settings are under **.Vendor/MSFT/Policy/Config/DeliveryOptimiz | [Select the source of Group IDs](#select-the-source-of-group-ids) | DOGroupIDSource | 1803 | | [Delay background download from http (in secs)](#delay-background-download-from-http-in-secs) | DODelayBackgroundDownloadFromHttp | 1803 | | [Delay foreground download from http (in secs)](#delay-foreground-download-from-http-in-secs) | DODelayForegroundDownloadFromHttp | 1803 | +| [Delay foreground download cache server fallback (in secs)](#delay-foreground-download-cache-server-fallback-in-secs) | DelayCacheServerFallbackForeground | 1903 | +| [Delay background download cache server fallback (in secs)](#delay-background-download-cache-server-fallback-in-secs) | DelayCacheServerFallbackBackground | 1903 | ### More detail on Delivery Optimization settings: @@ -198,6 +200,12 @@ Starting in Windows 10, version 1803, this allows you to delay the use of an HTT ### Delay foreground download from http (in secs) Starting in Windows 10, version 1803, allows you to delay the use of an HTTP source in a foreground (interactive) download that is allowed to use peer-to-peer. +### Delay Foreground Download Cache Server Fallback (in secs) +Starting in Windows 10, version 1903, allows you to delay the fallback from cache server to the HTTP source for foreground content download by X seconds. If you set the policy to delay foreground download from http, it will apply first (to allow downloads from peers first). + +### Delay Background Download Cache Server Fallback (in secs) +Starting in Windows 10, version 1903, set this policy to delay the fallback from cache server to the HTTP source for a background content download by X seconds. If you set the policy to delay background download from http, it will apply first (to allow downloads from peers first). + ### Minimum Background QoS This value specifies the minimum download speed guarantee that a client attempts to achieve and will fulfill by downloading more kilobytes from Windows Update servers or WSUS. Simply put, the lower this value is, the more content will be sourced using peers on the network rather than Windows Update. The higher this value, the more content is received from Windows Update servers or WSUS, versus peers on the local network. @@ -221,3 +229,5 @@ The device can download from peers while on battery regardless of this policy. >[!IMPORTANT] > By default, devices **will not upload while on battery**. To enable uploads while on battery, you need to enable this policy and set the battery value under which uploads pause. + + diff --git a/windows/deployment/update/waas-delivery-optimization-setup.md b/windows/deployment/update/waas-delivery-optimization-setup.md index e846ff795e..7a88db81fd 100644 --- a/windows/deployment/update/waas-delivery-optimization-setup.md +++ b/windows/deployment/update/waas-delivery-optimization-setup.md @@ -48,7 +48,7 @@ Quick-reference table: For this scenario, grouping devices by domain allows devices to be included in peer downloads and uploads across VLANs. **Set Download Mode to 2 - Group**. The default group is the authenticated domain or Active Directory site. If your domain-based group is too wide, or your Active Directory sites aren’t aligned with your site network topology, then you should consider additional options for dynamically creating groups, for example by using the GroupIDSrc parameter. -[//]: # (is there a topic on GroupIDSrc we can link to?) + To do this in Group Policy go to **Configuration\Policies\Administrative Templates\Windows Components\Delivery Optimization** and set **Download mode** to **2**. @@ -97,8 +97,11 @@ To do this with MDM, go to **.Vendor/MSFT/Policy/Config/DeliveryOptimization/** ## Monitor Delivery Optimization [//]: # (How to tell if it’s working? What values are reasonable; which are not? If not, which way to adjust and how? -- check PercentPeerCaching for files > minimum >= 50%) -### Windows PowerShell cmdlets for analyzing usage -**Starting in Windows 10, version 1703**, you can use two new PowerShell cmdlets to check the performance of Delivery Optimization: +### Windows PowerShell cmdlets + +**Starting in Windows 10, version 1703**, you can use new PowerShell cmdlets to check the performance of Delivery Optimization. + +#### Analyze usage `Get-DeliveryOptimizationStatus` returns a real-time snapshot of all current Delivery Optimization jobs. @@ -113,8 +116,10 @@ To do this with MDM, go to **.Vendor/MSFT/Policy/Config/DeliveryOptimization/** | BytesfromHTTP | Total number of bytes received over HTTP | | DownloadDuration | Total download time in seconds | | Status | Current state of the operation. Possible values are: **Downloading** (download in progress); **Complete** (download completed, but is not uploading yet); **Caching** (download completed successfully and is ready to upload or uploading); **Paused** (download/upload paused by caller) | - - +| NumPeers | Indicates the total number of peers returned from the service. | +| PredefinedCallerApplication | Indicates the last caller that initiated a request for the file. | +| ExpireOn | The target expiration date and time for the file. | +| Pinned | A yes/no value indicating whether an item has been "pinned" in the cache (see `setDeliveryOptmizationStatus`). |   `Get-DeliveryOptimizationPerfSnap` returns a list of key performance data: @@ -129,9 +134,35 @@ To do this with MDM, go to **.Vendor/MSFT/Policy/Config/DeliveryOptimization/** Using the `-Verbose` option returns additional information: - Bytes from peers (per type)  -- Bytes from CDN  (the number of bytes received over HTTP) +- Bytes from CDN (the number of bytes received over HTTP) - Average number of peer connections per download  +Starting in Window 10, version 1903, `get-DeliveryOptimizationPerfSnap` has a new option `-CacheSummary` which provides a summary of the cache status. + +Starting in Windows 10, version 1803, `Get-DeliveryOptimizationPerfSnapThisMonth` returns data similar to that from `Get-DeliveryOptimizationPerfSnap` but limited to the current calendar month. + +#### Manage the Delivery Optimization cache + +**Starting in Windows 10, version 1903:** + +`set-DeliveryOptimizationStatus -ExpireOn [date time]` extends the expiration of all files in the cache. You can set the expiration immediately for all files that are in the "caching" state. For files in progress ("downloading"), the expiration is applied once the download is complete. You can set the expiration up to one year from the current date and time. + +`set-DeliveryOptimizationStatus -ExpireOn [date time] -FileID [FileID]` extends expiration for a single specific file in the cache. + +You can now "pin" files to keep them persistent in the cache. You can only do this with files that are downloaded in modes 1, 2, or 3. + +`set-DeliveryOptimizationStatus -Pin [True] -File ID [FileID]` keeps a specific file in the cache such that it won't be deleted until the expiration date and time (which you set with `set-DeliveryOptimizationStatus -ExpireOn [date time] -FileID [FileID]`). The file is also excluded from the cache quota calculation. + +`set-DeliveryOptimizationStatus -Pin [False] -File ID [FileID]` "unpins" a file, so that it will be deleted when the expiration date and time are rreached. The file is included in the cache quota calculation. + +`delete-DeliveryOptimizationCache` lets you clear files from the cache and remove all persisted data related to them. You can use these options with this cmdlet: + +- `-FileID` specifies a particular file to delete. +- `-IncludePinnedFiles` deletes all files that are pinned. +- `-Force` deletes the cache with no prompts. + + +#### Work with Delivery Optimization logs **Starting in Windows 10, version 1803:** @@ -143,9 +174,7 @@ Log entries are written to the PowerShell pipeline as objects. To dump logs to a [//]: # (section on what to look for in logs, list of peers, connection failures) -`Get-DeliveryOptimizationPerfSnapThisMonth` -Returns data similar to that from `Get-DeliveryOptimizationPerfSnap` but limited to the current calendar month. [//]: # (possibly move to Troubleshooting) diff --git a/windows/deployment/update/waas-delivery-optimization.md b/windows/deployment/update/waas-delivery-optimization.md index 765547a61f..a8f9235264 100644 --- a/windows/deployment/update/waas-delivery-optimization.md +++ b/windows/deployment/update/waas-delivery-optimization.md @@ -53,7 +53,9 @@ The following table lists the minimum Windows 10 version that supports Delivery | Win32 apps for Intune | 1709 | | SCCM Express Updates | 1709 + Configuration Manager version 1711 | -[//]: # (**Network requirements**) + @@ -72,7 +74,9 @@ You can use Group Policy or an MDM solution like Intune to configure Delivery Op You will find the Delivery Optimization settings in Group Policy under **Configuration\Policies\Administrative Templates\Windows Components\Delivery Optimization**. In MDM, the same settings are under **.Vendor/MSFT/Policy/Config/DeliveryOptimization/**. -[//]: # (Starting with Windows Intune version 1902, you can set many Delivery Optimization policies as a profile which you can then apply to groups of devices. For more information, see {LINK}.) +Starting with Microsoft Intune version 1902, you can set many Delivery Optimization policies as a profile which you can then apply to groups of devices. For more information, see [Delivery Optimization settings in Microsoft Intune](https://docs.microsoft.com/intune/delivery-optimization-windows)) + +**Starting with Windows 10, version 1903,** you can use the Azure Active Directory (AAD) Tenant ID as a means to define groups. To do this set the value for DOGroupIdSource to its new maximum value of 5. ## Reference @@ -110,6 +114,9 @@ For the payloads (optional): **Does Delivery Optimization use multicast?**: No. It relies on the cloud service for peer discovery, resulting in a list of peers and their IP addresses. Client devices then connect to their peers to obtain download files over TCP/IP. +**How does Delivery Optimization deal with congestion on the router from peer-to-peer activity on the LAN?**: Starting in Windows 10, version 1903, Delivery Optimizatio uses LEDBAT to relieve such congestion. For more details see this post on the [Networking Blog](https://techcommunity.microsoft.com/t5/Networking-Blog/Windows-Transport-converges-on-two-Congestion-Providers-Cubic/ba-p/339819). + + ## Troubleshooting This section summarizes common problems and some solutions to try. diff --git a/windows/deployment/update/waas-servicing-channels-windows-10-updates.md b/windows/deployment/update/waas-servicing-channels-windows-10-updates.md index 37103745b0..2807a78f24 100644 --- a/windows/deployment/update/waas-servicing-channels-windows-10-updates.md +++ b/windows/deployment/update/waas-servicing-channels-windows-10-updates.md @@ -45,7 +45,7 @@ Semi-Annual Channel is the default servicing channel for all Windows 10 devices >The LTSB edition of Windows 10 is only available through the [Microsoft Volume Licensing Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx). >[!NOTE] ->Semi-Annual Channel (Targeted) should be used only by the customers that are using [Windows Update for Business](https://docs.microsoft.com/windows/deployment/update/waas-manage-updates-wufb). For those, who don't use Windows Update for Business, Semi-Annual Channel (Targeted) would be the same as Semi-Annual Channel. +>Semi-Annual Channel (Targeted) should be used only by the customers that are using [Windows Update for Business](https://docs.microsoft.com/windows/deployment/update/waas-manage-updates-wufb). For those who don't use Windows Update for Business, Semi-Annual Channel (Targeted) would be the same as Semi-Annual Channel. ## Assign devices to Semi-Annual Channel diff --git a/windows/deployment/update/windows-analytics-FAQ-troubleshooting.md b/windows/deployment/update/windows-analytics-FAQ-troubleshooting.md index 9942044960..e2e21a62bc 100644 --- a/windows/deployment/update/windows-analytics-FAQ-troubleshooting.md +++ b/windows/deployment/update/windows-analytics-FAQ-troubleshooting.md @@ -84,11 +84,13 @@ If you have devices that appear in other solutions, but not Device Health (the D 1. Using the Azure portal, remove the Device Health (appears as DeviceHealthProd on some pages) solution from your Log Analytics workspace. After completing this, add the Device Health solution to you workspace again. 2. Confirm that the devices are running Windows 10. 3. Verify that the Commercial ID is present in the device's registry. For details see [https://gpsearch.azurewebsites.net/#13551](https://gpsearch.azurewebsites.net/#13551). -4. Confirm that devices have opted in to provide diagnostic data by checking in the registry that **AllowTelemetry** is set to 2 (Enhanced) or 3 (Full) in **HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection** (or **HKLM\Software\Policies\Microsoft\Windows\DataCollection**, which takes precedence if set). +4. Confirm that devices are opted in to send diagnostic data by checking in the registry that **AllowTelemetry** is set to either 2 (Enhanced) or 3 (Full). + - **AllowTelemetry** under **HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection** is the location set by Group Policy or MDM + - **AllowTelemetry** under **HKLM\Software\Policies\Microsoft\Windows\DataCollection** is the location set by local tools such as the Settings app. + - By convention the Group Policy location would take precedence if both are set. Starting with Windows 10, version 1803, the default precedence is modified to enable a device user to lower the diagnostic data level from that set by IT. For organizations which have no requirement to allow the user to override IT, the conventional (IT wins) behavior can be re-enabled using **DisableTelemetryOptInSettingsUx**. This policy can be set via Group Policy as **Computer Configuration\Administrative Templates\Windows Components\Data Collection and Preview Builds\Configure telemetry opt-in setting user interface**. 5. Verify that devices can reach the endpoints specified in [Enrolling devices in Windows Analytics](windows-analytics-get-started.md). Also check settings for SSL inspection and proxy authentication; see [Configuring endpoint access with SSL inspection](https://docs.microsoft.com/windows/deployment/update/windows-analytics-get-started#configuring-endpoint-access-with-ssl-inspection) for more information. -6. Add the Device Health solution back to your Log Analytics workspace. -7. Wait 48 hours for activity to appear in the reports. -8. If you need additional troubleshooting, contact Microsoft Support. +6. Wait 48 hours for activity to appear in the reports. +7. If you need additional troubleshooting, contact Microsoft Support. ### Device crashes not appearing in Device Health Device Reliability diff --git a/windows/deployment/upgrade/log-files.md b/windows/deployment/upgrade/log-files.md index a966f7ad8e..34e613e06a 100644 --- a/windows/deployment/upgrade/log-files.md +++ b/windows/deployment/upgrade/log-files.md @@ -7,7 +7,6 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: deploy author: greg-lindsay -ms.date: 03/30/2018 ms.localizationpriority: medium ms.topic: article --- diff --git a/windows/deployment/upgrade/quick-fixes.md b/windows/deployment/upgrade/quick-fixes.md index d8b5c9b9e4..dd4f34cf81 100644 --- a/windows/deployment/upgrade/quick-fixes.md +++ b/windows/deployment/upgrade/quick-fixes.md @@ -7,7 +7,6 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: deploy author: greg-lindsay -ms.date: 05/03/2018 ms.localizationpriority: medium ms.topic: article --- diff --git a/windows/deployment/upgrade/resolution-procedures.md b/windows/deployment/upgrade/resolution-procedures.md index 3b660307e8..d017fb37d3 100644 --- a/windows/deployment/upgrade/resolution-procedures.md +++ b/windows/deployment/upgrade/resolution-procedures.md @@ -7,7 +7,6 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: deploy author: greg-lindsay -ms.date: 03/30/2018 ms.localizationpriority: medium ms.topic: article --- diff --git a/windows/deployment/upgrade/resolve-windows-10-upgrade-errors.md b/windows/deployment/upgrade/resolve-windows-10-upgrade-errors.md index 3193a41095..90038e88cf 100644 --- a/windows/deployment/upgrade/resolve-windows-10-upgrade-errors.md +++ b/windows/deployment/upgrade/resolve-windows-10-upgrade-errors.md @@ -7,7 +7,6 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: deploy author: greg-lindsay -ms.date: 04/18/2018 ms.localizationpriority: medium ms.topic: article --- diff --git a/windows/deployment/upgrade/submit-errors.md b/windows/deployment/upgrade/submit-errors.md index a3241982d6..09c55dda74 100644 --- a/windows/deployment/upgrade/submit-errors.md +++ b/windows/deployment/upgrade/submit-errors.md @@ -7,7 +7,6 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: deploy author: greg-lindsay -ms.date: 03/16/2018 ms.localizationpriority: medium ms.topic: article --- diff --git a/windows/deployment/upgrade/upgrade-error-codes.md b/windows/deployment/upgrade/upgrade-error-codes.md index 398c6de350..376e24d7dc 100644 --- a/windows/deployment/upgrade/upgrade-error-codes.md +++ b/windows/deployment/upgrade/upgrade-error-codes.md @@ -7,7 +7,6 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: deploy author: greg-lindsay -ms.date: 08/18/2018 ms.localizationpriority: medium ms.topic: article --- diff --git a/windows/deployment/upgrade/upgrade-readiness-data-sharing.md b/windows/deployment/upgrade/upgrade-readiness-data-sharing.md index b7b51ae981..5c36726a38 100644 --- a/windows/deployment/upgrade/upgrade-readiness-data-sharing.md +++ b/windows/deployment/upgrade/upgrade-readiness-data-sharing.md @@ -45,4 +45,10 @@ In order to enable this scenario, you need: - Set the reg key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection\DisableEnterpriseAuthProxy to 0. If the value does not exist, create a new DWORD, name it DisableEnterpriseAuthProxy and set the value to 0. The deployment script will check this is configured correctly. - Set ClientProxy=User in bat. +>[!IMPORTANT] +> Using **Logged-in user's internet connection** with **DisableEnterpriseAuthProxy = 0** scenario is incompatible with ATP where the required value of that attribute is 1.(Read more here)[https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection] + + + + diff --git a/windows/deployment/upgrade/upgrade-to-windows-10-with-system-center-configuraton-manager.md b/windows/deployment/upgrade/upgrade-to-windows-10-with-system-center-configuraton-manager.md index d9763887fe..66be7de286 100644 --- a/windows/deployment/upgrade/upgrade-to-windows-10-with-system-center-configuraton-manager.md +++ b/windows/deployment/upgrade/upgrade-to-windows-10-with-system-center-configuraton-manager.md @@ -6,8 +6,7 @@ keywords: upgrade, update, task sequence, deploy ms.prod: w10 ms.localizationpriority: medium ms.mktglfcycl: deploy -author: mtniehaus -ms.date: 07/27/2017 +author: greg-lindsay ms.topic: article --- diff --git a/windows/deployment/upgrade/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md b/windows/deployment/upgrade/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md index 7986e2b587..b72077d3c3 100644 --- a/windows/deployment/upgrade/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md +++ b/windows/deployment/upgrade/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md @@ -8,8 +8,7 @@ ms.mktglfcycl: deploy ms.localizationpriority: medium ms.sitesec: library ms.pagetype: mdt -author: mtniehaus -ms.date: 07/27/2017 +author: greg-lindsay ms.topic: article --- diff --git a/windows/deployment/upgrade/use-upgrade-readiness-to-manage-windows-upgrades.md b/windows/deployment/upgrade/use-upgrade-readiness-to-manage-windows-upgrades.md index e3ad02a8ae..8cbc00b791 100644 --- a/windows/deployment/upgrade/use-upgrade-readiness-to-manage-windows-upgrades.md +++ b/windows/deployment/upgrade/use-upgrade-readiness-to-manage-windows-upgrades.md @@ -6,7 +6,6 @@ ms.localizationpriority: medium ms.prod: w10 author: jaimeo ms.author: jaimeo -ms.date: 07/31/2018 ms.topic: article --- diff --git a/windows/deployment/upgrade/windows-error-reporting.md b/windows/deployment/upgrade/windows-error-reporting.md index 3b2cb8c678..7c39de2e38 100644 --- a/windows/deployment/upgrade/windows-error-reporting.md +++ b/windows/deployment/upgrade/windows-error-reporting.md @@ -7,7 +7,6 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: deploy author: greg-lindsay -ms.date: 03/30/2018 ms.localizationpriority: medium ms.topic: article --- diff --git a/windows/deployment/upgrade/windows-upgrade-and-migration-considerations.md b/windows/deployment/upgrade/windows-upgrade-and-migration-considerations.md index b2bade848b..9299c644fc 100644 --- a/windows/deployment/upgrade/windows-upgrade-and-migration-considerations.md +++ b/windows/deployment/upgrade/windows-upgrade-and-migration-considerations.md @@ -6,7 +6,6 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: greg-lindsay -ms.date: 11/17/2017 ms.topic: article --- diff --git a/windows/deployment/windows-autopilot/rip-and-replace.md b/windows/deployment/windows-autopilot/rip-and-replace.md deleted file mode 100644 index 92c1d57447..0000000000 --- a/windows/deployment/windows-autopilot/rip-and-replace.md +++ /dev/null @@ -1,19 +0,0 @@ ---- -title: Rip and Replace -description: Listing of Autopilot scenarios -keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune -ms.prod: w10 -ms.mktglfcycl: deploy -ms.localizationpriority: high -ms.sitesec: library -ms.pagetype: deploy -author: coreyp-at-msft -ms.author: coreyp -ms.date: 06/01/2018 ---- - -# Rip and replace - -**Applies to: Windows 10** - -DO NOT PUBLISH. Just a placeholder for now, coming with 1809. \ No newline at end of file diff --git a/windows/deployment/windows-autopilot/white-glove.md b/windows/deployment/windows-autopilot/white-glove.md index 88ac95d477..5e871a2c28 100644 --- a/windows/deployment/windows-autopilot/white-glove.md +++ b/windows/deployment/windows-autopilot/white-glove.md @@ -15,13 +15,13 @@ ms.topic: article # Windows Autopilot for white glove deployment -**Applies to: Windows 10, version 1903** +**Applies to: Windows 10, version 1903** (preview) Windows Autopilot enables organizations to easily provision new devices - leveraging the preinstalled OEM image and drivers with a simple process that can be performed by the end user to help get their device business-ready. ![OEM](images/wg01.png) -Windows Autopilot can also provide a white glove service that enables partners or IT staff to pre-provision a Windows 10 PC so that it is fully configured and business-ready​. From the end user’s perspective, the Windows Autopilot user-driven experience is unchanged, but getting their device to a fully provisioned state is faster. +Windows Autopilot can also provide a white glove service that enables partners or IT staff to pre-provision a Windows 10 PC so that it is fully configured and business-ready. From the end user’s perspective, the Windows Autopilot user-driven experience is unchanged, but getting their device to a fully provisioned state is faster. With **Windows Autopilot for white glove deployment**, the provisioning process is split. The time-consuming portions are performed by IT, partners, or OEMs. The end user simply completes a few neceesary settings and polices and then they can begin using their device. @@ -34,7 +34,7 @@ Enabled with Microsoft Intune in Windows 10, version 1903 and later, white glove In addition to [Windows Autopilot requirements](windows-autopilot-requirements.md), Windows Autopilot for white glove deployment adds the following: - Windows 10, version 1903 or later is required. -- An Intune subscription with additional flighted features that are not yet available publicly is currently required. Note: This feature will change soon from flighted to preview. Prior to this feature switching to preview status, attempts to perform white glove deployment without t flighted features will fail with an Intune enrollment error. +- An Intune subscription. - Physical devices that support TPM 2.0 and device attestation; virtual machines are not supported. The white glove provisioning process leverages Windows Autopilot self-deploying capabilities, hence the TPM 2.0 requirements. - Physical devices with Ethernet connectivity; Wi-fi connectivity is not supported due to the requirement to choose a language, locale, and keyboard to make that Wi-fi connection; doing that in a pre-provisioning process could prevent the user from choosing their own language, locale, and keyboard when they receive the device. @@ -49,12 +49,12 @@ If these scenarios cannot be completed, Windows Autopilot for white glove deploy To enable white glove deployment, an additional Autopilot profile setting must be configured: ->[!TIP] ->To see the white glove deployment Autopilot profile setting, use this URL to access the Intune portal: https://portal.azure.com/?microsoft_intune_enrollment_enableWhiteGlove=true. This is a temporary requirement. - ![allow white glove](images/allow-white-glove-oobe.png) -The Windows Autopilot for white glove deployment pre-provisioning process will apply all device-targeted policies from Intune. That includes certificates, security templates, settings, apps, and more – anything targeting the device. Additionally, any apps (Win32 or LOB) that are configured to install in the device context and targeted to the user that has been pre-assigned to the Autopilot device will also be installed. **Note**: other user-targeted policies will not apply until the user signs into the device. To verify these behaviors, be sure to create appropriate apps and policies targeted to devices and users. +The Windows Autopilot for white glove deployment pre-provisioning process will apply all device-targeted policies from Intune. That includes certificates, security templates, settings, apps, and more – anything targeting the device. Additionally, any apps (Win32 or LOB) that are configured to install in the device context and targeted to the user that has been pre-assigned to the Autopilot device will also be installed. + +>[!NOTE] +>Other user-targeted policies will not apply until the user signs into the device. To verify these behaviors, be sure to create appropriate apps and policies targeted to devices and users. ## Scenarios @@ -82,16 +82,16 @@ Regardless of the scenario, the process to be performed by the technician is the ![landing](images/landing.png) - Click **Provision** to begin the provisioning process. + If the pre-provisioning process completes successfully: - A green status screen will be displayed with information about the device, including the same details presented previously (e.g. Autopilot profile, organization name, assigned user, QR code), as well as the elapsed time for the pre-provisioning steps. + ![white-glove-result](images/white-glove-result.png) - Click **Reseal** to shut the device down. At that point, the device can be shipped to the end user. If the pre-provisioning process fails: - A red status screen will be displayed with information about the device, including the same details presented previously (e.g. Autopilot profile, organization name, assigned user, QR code), as well as the elapsed time for the pre-provisioning steps. - Diagnostic logs can be gathered from the device, and then it can be reset to start the process over again. - ![white-glove-result](images/white-glove-result.png) - ### User flow If the pre-provisioning process completed successfully and the device was resealed, it can be delivered to the end user to complete the normal Windows Autopilot user-driven process. They will perform a standard set of steps: diff --git a/windows/deployment/windows-deployment-scenarios-and-tools.md b/windows/deployment/windows-deployment-scenarios-and-tools.md index 2682bbad0b..18511a429a 100644 --- a/windows/deployment/windows-deployment-scenarios-and-tools.md +++ b/windows/deployment/windows-deployment-scenarios-and-tools.md @@ -6,8 +6,7 @@ keywords: deploy, volume activation, BitLocker, recovery, install, installation, ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: mtniehaus -ms.date: 07/12/2017 +author: greg-lindsay ms.topic: article --- diff --git a/windows/privacy/TOC.md b/windows/privacy/TOC.md index 9247b0b811..1dd34ad810 100644 --- a/windows/privacy/TOC.md +++ b/windows/privacy/TOC.md @@ -1,6 +1,7 @@ # [Privacy](index.yml) ## [Beginning your General Data Protection Regulation (GDPR) journey for Windows 10](gdpr-win10-whitepaper.md) ## [Windows and the GDPR: Information for IT Administrators and Decision Makers](gdpr-it-guidance.md) +## [Windows 10 & Privacy Compliance: A Guide for IT and Compliance Professionals](Windows-10-and-privacy-compliance.md) ## [Windows 10 personal data services configuration](windows-personal-data-services-configuration.md) ## [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md) ## Diagnostic Data Viewer diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index c68d13cadf..a9e92983f8 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -666,7 +666,7 @@ To remove the News app: -or- >[!IMPORTANT] -> If you have any issues with these commands, do a system reboot and try the scripts again. +> If you have any issues with these commands, restart the system and try the scripts again. > - Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.BingNews"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}** diff --git a/windows/privacy/windows-10-and-privacy-compliance.md b/windows/privacy/windows-10-and-privacy-compliance.md new file mode 100644 index 0000000000..47ce5b00ee --- /dev/null +++ b/windows/privacy/windows-10-and-privacy-compliance.md @@ -0,0 +1,204 @@ +--- +description: This article provides information to help IT and compliance professionals understand the personal data policies as related to Windows 10. +title: Windows 10 & Privacy Compliance - A Guide for IT and Compliance Professionals +keywords: privacy, GDPR, compliance +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: high +audience: ITPro +author: brianlic-msft +ms.author: brianlic +manager: dansimp +ms.collection: M365-security-compliance +ms.topic: article +ms.date: 05/21/2019 +--- + +# Windows 10 & Privacy Compliance:
    A Guide for IT and Compliance Professionals + +Applies to: +- Windows 10, version 1903 +- Windows 10, version 1809 +- Windows 10 Team Edition, version 1703 for Surface Hub +- Windows Server 2019 +- Windows Server 2016 +- Windows Analytics + +For more information about the GDPR, see: +* [Windows and the GDPR: Information for IT Administrators and Decision Makers](gdpr-it-guidance.md) +* [Microsoft GDPR Overview](https://aka.ms/GDPROverview) +* [Microsoft Trust Center FAQs about the GDPR](https://aka.ms/gdpr-faq) +* [Microsoft Service Trust Portal (STP)](https://aka.ms/stp) +* [Get Started: Support for GDPR Accountability](https://servicetrust.microsoft.com/ViewPage/GDPRGetStarted) + +## Overview + +At Microsoft, we are deeply committed to data privacy across all our products and services. With this guide, we provide IT and compliance professionals with data privacy considerations for Windows 10. + +Microsoft collects data through multiple interactions with users of Windows 10 devices. This information can contain personal data that may be used to provide, secure, and improve Windows 10 services. To help users and organizations control the collection of personal data, Windows 10 provides comprehensive transparency features, settings choices, controls and support for data subject requests, all of which are detailed in this guide. + +This information allows IT and compliance professionals work together to better manage personal data privacy considerations and related regulations, such as the General Data Protection Regulation (GDPR). + + +## 1. Windows 10 data collection transparency + +Transparency is an important part of the data collection process in Windows 10. Comprehensive information about the features and processes used to collect data is available to users and administrators directly within Windows, both during and after device set up. + +If interested in understanding how to manage settings related to data collection skip to the next section [Windows 10 data collection management](#12-data-collection-monitoring). + + +### 1.1 Device set up experience and support for layered transparency + +When setting up a device, a user can configure their privacy settings. Those privacy settings are key in determining the amount of personal data collected. For each privacy setting, the user is provided information about the setting along with the links to supporting information. This information explains what data is collected, how the data is used and how to manage the setting after the device setup is complete. The user can also review the privacy statement when connected to the network during this portion of setup. A brief overview of the set up experience for privacy settings are described in [this blog](https://blogs.windows.com/windowsexperience/2018/03/06/windows-insiders-get-first-look-new-privacy-screen-settings-layout-coming-windows-10/#uCC2bKYP8M5BqrDP.97). + +The following table provides an overview of the Windows 10 privacy settings presented during the device setup experience that involve processing personal data and where to find additional information. + +> [!NOTE] +> This table is limited to the privacy settings that are available as part of setting up a Windows 10 device (Windows 10, version 1809 and later). For the full list of settings that involve data collection, see: [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md). + +| Feature/Setting | Description | Supporting Content | Privacy Statement | +| --- | --- | --- | --- | +| Diagnostic Data |

    Microsoft uses diagnostic data to: keep Windows secure and up to date, troubleshoot problems, and make product improvements as described in more detail below. Regardless of level selected, the device will be just as secure and will operate normally. This data is collected by Microsoft and stored with one or more unique identifiers that can help us recognize an individual user on an individual device, and understand the device's service issues and use patterns.

    Diagnostic data is categorized into four levels:

    | [Learn more](https://support.microsoft.com/help/4468236/diagnostics-feedback-and-privacy-in-windows-10-microsoft-privacy)

    [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md) | [Privacy Statement](https://privacy.microsoft.com/privacystatement#maindiagnosticsmodule) | +| Inking and typing diagnostics | Microsoft collects inking and typing data to improve the language recognition and suggestion capabilities of apps and services running on Windows. | [Learn more](https://support.microsoft.com/help/4468236/diagnostics-feedback-and-privacy-in-windows-10-microsoft-privacy) | [Privacy Statement](https://privacy.microsoft.com/privacystatement#maindiagnosticsmodule) | +| Speech | Use your voice for dictation and to talk to Cortana and other apps that use Windows cloud-based speech recognition. Microsoft collects voice data to help improve speech services. | [Learn more](https://support.microsoft.com/help/4468250/speech-inking-typing-and-privacy-microsoft-privacy) | [Privacy Statement](https://privacy.microsoft.com/privacystatement#mainspeechinkingtypingmodule) | +| Location | Get location-based experiences like directions and weather. Let Windows and apps request your location and allow Microsoft to use your location data to improve location services. | [Learn more](https://support.microsoft.com/help/4468240/windows-10-location-service-and-privacy-microsoft-privacy) | [Privacy Statement](https://privacy.microsoft.com/privacystatement#mainlocationservicesmotionsensingmodule) | +| Find my device | Use your device’s location data to help you find your device if you lose it. | [Learn more](https://support.microsoft.com/help/11579/microsoft-account-find-and-lock-lost-windows-device) | [Privacy Statement](https://privacy.microsoft.com/privacystatement#mainlocationservicesmotionsensingmodule) | +| Tailored Experiences | Let Microsoft offer you tailored experiences based on the diagnostic data you have chosen (Security, Basic, Enhanced, or Full). Tailored experiences mean personalized tips, ads, and recommendations to enhance Microsoft products and services for your needs. | [Learn more](https://support.microsoft.com/help/4468236/diagnostics-feedback-and-privacy-in-windows-10-microsoft-privacy) | [Privacy Statement](https://privacy.microsoft.com/privacystatement#maindiagnosticsmodule) | +| Advertising Id | Apps can use advertising ID to provide more personalized advertising in accordance with the privacy policy of the app provider. | [Learn more](https://support.microsoft.com/help/4459081/general-privacy-settings-in-windows-10-microsoft-privacy) | [Privacy statement](https://privacy.microsoft.com/privacystatement#mainadvertisingidmodule) | +| Activity History/Timeline – Cloud Sync | If you want timeline and other Windows features to help you continue what you were doing, even when you switch devices, send Microsoft your activity history, which includes info about websites you browse and how you use apps and services. | [Learn more](https://support.microsoft.com/help/4468227/windows-10-activity-history-and-your-privacy-microsoft-privacy) | [Privacy statement](https://privacy.microsoft.com/privacystatement#mainactivityhistorymodule) | +| Cortana |

    Cortana is Microsoft’s personal digital assistant, which helps busy people get things done, even while they’re at work. Cortana on Windows is available in [certain regions and languages](https://support.microsoft.com/instantanswers/557b5e0e-0eb0-44db-87d6-5e5db6f9c5b0/cortana-s-regions-and-languages). Cortana learns from certain data about the user, such as location, searches, calendar, contacts, voice input, speech patterns, email, content and communication history from text messages. In Microsoft Edge, Cortana uses browsing history. The user is in control of how much data is shared.

    Cortana has powerful configuration options, specifically optimized for a business. By signing in with an Azure Active Directory (Azure AD) account, enterprise users can give Cortana access to their enterprise/work identity, while getting all the functionality Cortana provides to them outside of work.

    | [Learn more](https://support.microsoft.com/help/4468233/cortana-and-privacy-microsoft-privacy)

    [Cortana integration in your business or enterprise](https://docs.microsoft.com/windows/configuration/cortana-at-work/cortana-at-work-overview) | [Privacy statement](https://privacy.microsoft.com/privacystatement#maincortanamodule) | + +### 1.2 Data collection monitoring + +The Diagnostic Data Viewer (DDV) is a Windows app (available in Windows 10, version 1803 or later) that lets a user review the Windows diagnostic data that is being collected on their Windows 10 device and sent to Microsoft. DDV groups the information into simple categories based on how it is used by Microsoft. The [DDV Overview](diagnostic-data-viewer-overview.md) provides information on how users can get started on using this tool. + +An administrator can also use the Diagnostic Data Viewer for PowerShell module to view the diagnostic data collected from the device instead of using the Diagnostic Data Viewer UI. The [Diagnostic Data Viewer for PowerShell Overview](microsoft-diagnosticdataviewer.md) provides further information. + + +## 2. Windows 10 data collection management + +Windows 10 provides the ability to manage privacy settings through several different methods. Users can change their privacy settings using the Windows 10 settings (**Start** > **Settings** > **Privacy**). The organization can also manage the privacy settings using group policy or mobile device management (MDM). The following sections provide an overview on how to manage the privacy settings previously discussed in this article. + +### 2.1 Privacy setting options for users + +Once a Windows 10 device is set up, a user can manage data collection settings by going to **Start** > **Settings** > **Privacy**. IT administrators can control privacy settings via setting policy on the device (see Section 2.2 below). If this is the case, the user will see an alert that says ‘Some settings are hidden or managed by your organization’ when they navigate to **Start** > **Settings** > **Privacy**. Meaning the user can only change settings in accordance with the policies that the administrator has applied to the device. + +### 2.2 Privacy setting controls for administrators + +The IT department can configure and control privacy settings across their organization by using Group Policy, registry, or Mobile Device Management (MDM) settings. + +The following table provides an overview of the privacy settings discussed earlier in this document with details on how to configure these via policy. The table also provides information on what the default value would be for each of these privacy settings if you do not manage the setting via policy and suppress the Out-of-box Experience (OOBE) during device setup. For an IT administrator interested in minimizing data, we also provide the recommended value to set. + +> [!NOTE] +> This is not a complete list of settings that involve connecting to Microsoft services. To see a more detailed list, please refer to Manage connections from [Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md). + +| Feature/Setting | GP/MDM Documentation | Default State if the Setup experience is suppressed | State to stop/minimize data collection | +|---|---|---|---| +| [Speech](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-speech) | Group Policy:
    **Computer Configuration** > **Control Panel** > **Regional and Language Options** > **Allow users to enable online speech recognition services**

    MDM: [Privacy/AllowInputPersonalization](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-privacy#privacy-allowinputpersonalization) | Off | Off | +| [Location](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-location) | Group Policy:
    **Computer Configuration** > **Windows Components** > **App Privacy** > **Let Windows apps access location**

    MDM: [Privacy/LetAppsAccessLocation](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccesslocation) | Off (Windows 10, version 1903 and later) | Off | +| [Find my device](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#find-my-device) | Group Policy:
    **Computer Configuration** > **Windows Components** > **Find My Device** > **Turn On/Off Find My Device**

    MDM: [Experience/AllFindMyDevice](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-experience#experience-allowfindmydevice) | Off | Off | +| [Diagnostic Data](configure-windows-diagnostic-data-in-your-organization.md#enterprise-management) | Group Policy:
    **Computer Configuration** > **Windows Components** > **Data Collection and Preview Builds** > **Allow Telemetry**

    MDM: [System/AllowTelemetry](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-system#system-allowtelemetry) | Desktop SKUs:
    Basic (Windows 10, version 1903 and later)

    Server SKUs:
    Enhanced | Security and block endpoints | +| [Inking and typing diagnostics](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-ink) | Group Policy:
    **Computer Configuration** > **Windows Components** > **Text Input** > **Improve inking and typing recognition**

    MDM: [TextInput/AllowLinguisticDataCollection](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-textinput#textinput-allowlinguisticdatacollection) | Off (Windows 10, version 1809 and later) | Off | +| Tailored Experiences | Group Policy:
    **User Configuration** > **Windows Components** > **Cloud Content** > **Do not use diagnostic data for tailored experiences**

    MDM: Link TBD | Off | Off | +| Advertising ID | Group Policy:
    **Configuration** > **System** > **User Profile** > **Turn off the advertising Id**

    MDM: [Privacy/DisableAdvertisingId](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-privacy#privacy-disableadvertisingid) | Off | Off | +| Activity History/Timeline – Cloud Sync | Group Policy:
    **Computer Configuration** > **System** > **OS Policies** > **Allow upload of User Activities**

    MDM: [Privacy/EnableActivityFeed](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-privacy#privacy-enableactivityfeed) | Off | Off | +| [Cortana](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#2-cortana-and-search) | Group Policy:
    **Computer Configuration** > **Windows Components** > **Search** > **Allow Cortana**

    MDM: [Experience/AllowCortana](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-experience#experience-allowcortana) | Off | Off | + +### 2.3 Guidance for configuration options + +This section provides general details and links to more detailed information as well as instructions for IT administrators and compliance professional. These instructions allow IT admins and compliance pros to manage the device compliance. This information includes details about setting up a device, to configuring the device’s settings after setup is completed to minimize data collected and drive privacy related user experiences. + +#### 2.3.1 Managing the device setup experience + +Windows deployment can be configured using several different methods, which provide an administrator with options to control: how a device is set up, what’s enabled by default, and what the user is able to change on the system after they log on. + +The [Deploy and update Windows 10](https://docs.microsoft.com/windows/deployment/) section of the Windows IT Pro Center provides an overview of the different options. + +#### 2.3.2 Managing connections from Windows components to Microsoft services + +IT administrators can manage the data sent from their organization to Microsoft by configuring settings associated with the functionality provided by these Windows components. + +See [Manage connections from Windows operating system components to Microsoft services](https://technet.microsoft.com/itpro/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services) for more details, including the different methods available on how to configure each setting, the impact to functionality and which versions of Windows that are applicable. + +#### 2.3.3 Managing Windows 10 connections + +Some Windows components, apps, and related services transfer data to Microsoft network endpoints. An administrator may want to block these endpoints as an additional measure of ensuring privacy compliance within their organization. + +[Manage connection endpoints for Windows 10, version 1809](manage-windows-1809-endpoints.md) provides a list of endpoints for the latest Windows 10 release, along with the functionality that would be impacted. Details for additional Windows versions can be found on the [Windows Privacy site](https://docs.microsoft.com/windows/privacy/) under the “Manage Windows 10 connection endpoints” section of the left-hand navigation menu. + +#### 2.3.4 Limited functionality baseline + +An organization may want to further minimize the amount of data shared with Microsoft or apps by managing the connections and configuring additional settings on their devices. Similar to [Security baselines](https://docs.microsoft.com/windows/security/threat-protection/windows-security-baselines), we have a limited functionality baseline-focused configuring settings to minimize the data shared, however this comes with some potential impact to functionality on the device. The [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) article provides details on how to apply the baseline, along with the full list of settings covered in the baseline and the functionality that would be impacted. Administrators who don’t want to apply the baseline can still find details on how to configure each setting individually to find the right balance between data sharing and impact to functionality for their organization. + +#### 2.3.5 Diagnostic data: Managing notifications for change of level at logon + +Windows 10, version 1803, and later provides users with a notification during sign in about changes to the diagnostic data level on the device so they are aware of any changes where additional data may be collected. For instance, if the diagnostic level on the device is set to Basic and an administrator changes it to Full, users will be notified when they next sign in. The IT administrator can disable these notifications by setting Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds** > **Configure telemetry opt-in change notifications** or the MDM policy `ConfigureTelemetryOptInChangeNotification`. + +#### 2.3.6 Diagnostic data: Managing end user choice for changing the setting + +Windows 10, version 1803 and later, allows users to change their diagnostic data level to a lower setting than what their IT administrator has set. For instance, if the administrator has set the diagnostic data level to Enhanced or Full, a user can change the setting to Basic by going into **Settings** > **Privacy** > **Diagnostic & feedback**. The administrator can disable the user ability to change the setting via **Setting** > **Privacy** by setting the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds** > **Configure telemetry opt-in setting user interface** or the MDM policy `ConfigureTelemetryOptInSettingsUx`. + +#### 2.3.7 Diagnostic data: Managing device-based data delete + +Windows 10, version 1809 and later, allows a user to delete diagnostic data collected from their device by going into **Settings** > **Privacy** > **Diagnostic & feedback** and clicking the **Delete** button. An IT administrator can also delete diagnostic data for a device using the [Clear-WindowsDiagnosticData](https://docs.microsoft.com/powershell/module/windowsdiagnosticdata/Clear-WindowsDiagnosticData?view=win10-ps) PowerShell cmdlet script. + +An administrator can disable a user’s ability to delete their device’s diagnostic data by setting the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds** > **Disable deleting diagnostic data** or the MDM policy `DisableDeviceDelete`. + + +## 3. The process for exercising data subject rights + +This section discusses the different methods Microsoft provides for users and IT administrators to exercise data subject rights for data collected from a Windows 10 device. + +### 3.1 Delete + +Users can delete their device-based data by going to **Settings** > **Privacy** > **Diagnostic & feedback** and clicking the **Delete** button. Administrators can also use the [Clear-WindowsDiagnosticData](https://docs.microsoft.com/powershell/module/windowsdiagnosticdata/Clear-WindowsDiagnosticData?view=win10-ps) PowerShell cmdlet script. + +### 3.2 View + +The [Diagnostic Data Viewer (DDV)](diagnostic-data-viewer-overview.md) provides a view into the diagnostic data being collected from the Windows 10 device. IT administrators can also use the [Get-DiagnosticData](microsoft-diagnosticdataviewer.md#install-and-use-the-diagnostic-data-viewer-for-powershell) PowerShell cmdlet script. + +### 3.3 Export + +The [Diagnostic Data Viewer (DDV)](diagnostic-data-viewer-overview.md) provides the ability to export the diagnostic data captured while the app is running, by clicking the Export data button in the top menu. IT administrators can also use the [Get-DiagnosticData](microsoft-diagnosticdataviewer.md#install-and-use-the-diagnostic-data-viewer-for-powershell) PowerShell cmdlet script. + +### 3.4 Devices connected to a Microsoft account + +If a user signs in to a Windows experience or app on their device with their Microsoft account (MSA), they can view, delete, and export data associated with their MSA on the [Privacy dashboard](https://account.microsoft.com/privacy). + + +## 4. Cross-border data transfers + +Microsoft complies with the EU-U.S. Privacy Shield Framework and Swiss-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union, the United Kingdom, and Switzerland to the United States. + +Microsoft’s [Privacy Statement](https://privacy.microsoft.com/privacystatement#mainwherewestoreandprocessdatamodule) provides details on how we store and process personal data. + + +## 5. Related Windows product considerations + +The following sections provide details about how privacy data is collected and managed across related Windows products. + +### 5.1 Windows Server 2016 and 2019 + +Windows Server follows the same mechanisms as Windows 10 for handling of personal data. There are some differences regarding [diagnostic default settings for Windows Server](https://microsoft-my.sharepoint.com/personal/v-colinm_microsoft_com/Documents/WINDOWS%20PRIVACY/Windows%20diagnostic%20data%20and%20Windows%20Server). + +### 5.2 Surface Hub + +Surface Hub is a shared device used within an organization. The device identifier collected as part of diagnostic data is not connected to an individual user. For removing Windows diagnostic data sent to Microsoft for a Surface Hub, Microsoft created the Surface Hub Delete Diagnostic Data tool available in the Microsoft Store. + +For more details, see [Windows 10 Team Edition, Version 1703 for Surface Hub](gdpr-it-guidance.md#windows-10-team-edition-version-1703-for-surface-hub). + +### 5.3 Windows 10 Analytics + +[Windows Analytics](https://docs.microsoft.com/windows/deployment/update/windows-analytics-overview) is a set of solutions for Azure Portal that provide you with extensive data about the state of devices in your deployment. There are currently three solutions which you can use singly or in any combination: Device Health, Update Compliance, and Upgrade Readiness. Windows Analytics is a separate offering from Windows 10 and is dependent on enabling a minimum set of data collection on the device to function. + +For more details, see the [Windows Analytics overview page](https://docs.microsoft.com/windows/deployment/update/windows-analytics-overview). + + +## Additional Resources + +* [Microsoft Trust Center: GDPR Overview](https://www.microsoft.com/trustcenter/privacy/gdpr/gdpr-overview) +* [Microsoft Trust Center: Privacy at Microsoft](https://www.microsoft.com/TrustCenter/Privacy/privacy-overview) +* [Windows IT Pro Docs](https://docs.microsoft.com/windows/#pivot=it-pro) + diff --git a/windows/release-information/resolved-issues-windows-10-1607.yml b/windows/release-information/resolved-issues-windows-10-1607.yml index 9606bb5208..05e0114961 100644 --- a/windows/release-information/resolved-issues-windows-10-1607.yml +++ b/windows/release-information/resolved-issues-windows-10-1607.yml @@ -32,6 +32,7 @@ sections: - type: markdown text: " + @@ -68,6 +69,7 @@ sections: - type: markdown text: "
    SummaryOriginating updateStatusDate resolved
    Update not showing as applicable through WSUS or SCCM or when manually installed
    Update not showing as applicable through WSUS or SCCM or when manually installed

    See details >    		OS Build 14393.2969

    May 14, 2019
    KB4494440    		Resolved
    KB4498947    		May 14, 2019
    10:00 AM PT
    Unable to access some gov.uk websites
    gov.uk websites that don’t support “HSTS” may not be accessible

    See details >    		OS Build 14393.2969

    May 14, 2019
    KB4494440    		Resolved
    KB4505052    		May 19, 2019
    02:00 PM PT
    Layout and cell size of Excel sheets may change when using MS UI Gothic
    When using the MS UI Gothic or MS PGothic fonts, the text, layout, or cell size may become narrower or wider than expected in Microsoft Excel.

    See details >    		OS Build 14393.2941

    April 25, 2019
    KB4493473    		Resolved
    KB4494440    		May 14, 2019
    10:00 AM PT
    Zone transfers over TCP may fail
    Zone transfers between primary and secondary DNS servers over the Transmission Control Protocol (TCP) may fail.

    See details >    		OS Build 14393.2941

    April 25, 2019
    KB4493473    		Resolved
    KB4494440    		May 14, 2019
    10:00 AM PT
    +
    DetailsOriginating updateStatusHistory
    Update not showing as applicable through WSUS or SCCM or when manually installed
    KB4494440 or later updates may not show as applicable through WSUS or SCCM to the affected platforms. When manually installing the standalone update from Microsoft Update Catalog, it may fail to install with the error, \"The update is not applicable to your computer.\"


    Affected platforms:
    • Client: Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
    • Server: Windows Server 2016

    Resolution: The servicing stack update (SSU) (KB4498947) must be installed before installing the latest cumulative update (LCU). The LCU will not be reported as applicable until the SSU is installed. For more information, see Servicing stack updates.

    Back to top    		OS Build 14393.2969

    May 14, 2019
    KB4494440    		Resolved
    KB4498947    		Resolved:
    May 14, 2019
    10:00 AM PT

    Opened:
    May 24, 2019
    04:20 PM PT
    Unable to access some gov.uk websites
    After installing the May 14, 2019 update, some gov.uk websites that don’t support HTTP Strict Transport Security (HSTS) may not be accessible through Internet Explorer 11 or Microsoft Edge.

    Affected platforms:
    • Client: Windows 10, version 1809; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10, version 1507; Windows 8.1; Windows 7 SP1 
    • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1
    Resolution: We have released an \"optional, out-of-band\" update for Windows 10 (KB4505052) to resolve this issue. If you are affected, we recommend you apply this update by installing KB4505052 from Windows Update and then restarting your device.

    This update will not be applied automatically. To download and install this update, go to Settings > Update & Security > Windows Update and select Check for updates. To get the standalone package for KB4505052, search for it in the Microsoft Update Catalog.
     

    Back to top    		OS Build 14393.2969

    May 14, 2019
    KB4494440    		Resolved
    KB4505052    		Resolved:
    May 19, 2019
    02:00 PM PT

    Opened:
    May 16, 2019
    01:57 PM PT
    Layout and cell size of Excel sheets may change when using MS UI Gothic
    When using the MS UI Gothic or MS PGothic fonts, the text, layout, or cell size may become narrower or wider than expected in Microsoft Excel. For example, the layout and cell size of Microsoft Excel sheets may change when using MS UI Gothic.

    Affected platforms:
    • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1
    • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
    Resolution: This issue has been resolved.

    Back to top    		OS Build 14393.2941

    April 25, 2019
    KB4493473    		Resolved
    KB4494440    		Resolved:
    May 14, 2019
    10:00 AM PT

    Opened:
    May 10, 2019
    10:35 AM PT
    diff --git a/windows/release-information/status-windows-10-1507.yml b/windows/release-information/status-windows-10-1507.yml index dd98581223..ce1f513a1a 100644 --- a/windows/release-information/status-windows-10-1507.yml +++ b/windows/release-information/status-windows-10-1507.yml @@ -5,7 +5,7 @@ title: Windows 10, version 1507 metadata: document_id: title: Windows 10, version 1507 - description: View annoucements and review known issues and fixes for Windows 10 version 1507 + description: View announcements and review known issues and fixes for Windows 10 version 1507 keywords: Windows 10, issues, fixes, announcements, Windows Server, advisories ms.localizationpriority: high author: greg-lindsay diff --git a/windows/release-information/status-windows-10-1607-and-windows-server-2016.yml b/windows/release-information/status-windows-10-1607-and-windows-server-2016.yml index 6ac43dc23c..65f77cb12b 100644 --- a/windows/release-information/status-windows-10-1607-and-windows-server-2016.yml +++ b/windows/release-information/status-windows-10-1607-and-windows-server-2016.yml @@ -5,7 +5,7 @@ title: Windows 10, version 1607 and Windows Server 2016 metadata: document_id: title: Windows 10, version 1607 and Windows Server 2016 - description: View annoucements and review known issues and fixes for Windows 10 version 1607 and Windows Server 2016 + description: View announcements and review known issues and fixes for Windows 10 version 1607 and Windows Server 2016 keywords: Windows 10, issues, fixes, announcements, Windows Server, advisories ms.localizationpriority: high author: greg-lindsay @@ -66,10 +66,10 @@ sections:
    SCVMM cannot enumerate and manage logical switches deployed on the host
    For hosts managed by System Center Virtual Machine Manager (VMM), VMM cannot enumerate and manage logical switches deployed on the host.

    See details >OS Build 14393.2639

    November 27, 2018
    KB4467684Mitigated
    April 25, 2019
    02:00 PM PT
    Certain operations performed on a Cluster Shared Volume may fail
    Certain operations, such as rename, performed on files or folders on a Cluster Shared Volume (CSV) may fail with the error, \"STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\".

    See details >OS Build 14393.2724

    January 08, 2019
    KB4480961Mitigated
    April 25, 2019
    02:00 PM PT
    Windows may not start on certain Lenovo and Fujitsu laptops with less than 8GB of RAM
    Windows may fail to start on certain Lenovo and Fujitsu laptops that have less than 8 GB of RAM.

    See details >OS Build 14393.2608

    November 13, 2018
    KB4467691Mitigated
    February 19, 2019
    10:00 AM PT +
    Update not showing as applicable through WSUS or SCCM or when manually installed
    Update not showing as applicable through WSUS or SCCM or when manually installed

    See details >OS Build 14393.2969

    May 14, 2019
    KB4494440Resolved
    KB4498947May 14, 2019
    10:00 AM PT
    Unable to access some gov.uk websites
    gov.uk websites that don’t support “HSTS” may not be accessible

    See details >OS Build 14393.2969

    May 14, 2019
    KB4494440Resolved
    KB4505052May 19, 2019
    02:00 PM PT
    Layout and cell size of Excel sheets may change when using MS UI Gothic
    When using the MS UI Gothic or MS PGothic fonts, the text, layout, or cell size may become narrower or wider than expected in Microsoft Excel.

    See details >OS Build 14393.2941

    April 25, 2019
    KB4493473Resolved
    KB4494440May 14, 2019
    10:00 AM PT
    Zone transfers over TCP may fail
    Zone transfers between primary and secondary DNS servers over the Transmission Control Protocol (TCP) may fail.

    See details >OS Build 14393.2941

    April 25, 2019
    KB4493473Resolved
    KB4494440May 14, 2019
    10:00 AM PT -
    Custom URI schemes may not start corresponding application
    Custom URI schemes for application protocol handlers may not start the corresponding application for local intranet and trusted sites in Internet Explorer.

    See details >OS Build 14393.2848

    March 12, 2019
    KB4489882Resolved
    KB4493473April 25, 2019
    02:00 PM PT " @@ -86,6 +86,7 @@ sections: text: " +
    DetailsOriginating updateStatusHistory
    Devices running Windows Server 2016 with Hyper-V seeing Bitlocker error 0xC0210000
    Some devices running Windows Server 2016 with Hyper-V enabled may enter Bitlocker recovery mode and receive an error, \"0xC0210000\" after installing KB4494440 and restarting.

    Note Windows 10, version 1607 may also be affected when Bitlocker and Hyper-V are both enabled.

    Affected platforms:
    • Client: Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
    • Server: Windows Server 2016
    Workaround: If your device is already in this state, you can successfully start Windows after suspending Bitlocker from the Windows Recovery Environment (WinRE) using the following steps:
    1. Retrieve the 48 digit Bitlocker recovery password for the OS volume from your organization's portal or from wherever the key was stored when Bitlocker was first enabled.
    2. From the recovery screen, press the enter key and enter the recovery password when prompted.
    3. If your device starts in the Windows Recovery Environment and asks for recovery key again, select Skip the drive to continue to WinRE.
    4. select Advanced options then Troubleshoot then Advanced options then Command Prompt.
    5. Unlock OS drive using the command: Manage-bde -unlock c: -rp <48 digit numerical recovery password separated by “-“ in 6 digit group>
    6. Suspend Bitlocker using the command: Manage-bde -protectors -disable c:
    7. Exit the command window using the command: exit
    8. Select Continue from recovery environment.
    9. The device should now start Windows.
    10. Once started, launch an Administrator Command Prompt and resume the Bitlocker to ensure the system remains protected, using the command: Manage-bde -protectors -enable c:
    Note The workaround needs to be followed on every system restart unless Bitlocker is suspended before restarting.

    To prevent this issue, execute the following command to temporarily suspend Bitlocker just before restarting the system: Manage-bde -protectors -disable c: -rc 1
    Note This command will suspend Bitlocker for 1 restart of the device (-rc 1 option only works inside OS and does not work from recovery environment).

    Next steps: Microsoft is presently investigating this issue and will provide an update when available.

    Back to top    		OS Build 14393.2969

    May 14, 2019
    KB4494440    		Mitigated
    		Last updated:
    May 23, 2019
    09:57 AM PT

    Opened:
    May 21, 2019
    08:50 AM PT
    Update not showing as applicable through WSUS or SCCM or when manually installed
    KB4494440 or later updates may not show as applicable through WSUS or SCCM to the affected platforms. When manually installing the standalone update from Microsoft Update Catalog, it may fail to install with the error, \"The update is not applicable to your computer.\"


    Affected platforms:
    • Client: Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
    • Server: Windows Server 2016

    Resolution: The servicing stack update (SSU) (KB4498947) must be installed before installing the latest cumulative update (LCU). The LCU will not be reported as applicable until the SSU is installed. For more information, see Servicing stack updates.

    Back to top    		OS Build 14393.2969

    May 14, 2019
    KB4494440    		Resolved
    KB4498947    		Resolved:
    May 14, 2019
    10:00 AM PT

    Opened:
    May 24, 2019
    04:20 PM PT
    Unable to access some gov.uk websites
    After installing the May 14, 2019 update, some gov.uk websites that don’t support HTTP Strict Transport Security (HSTS) may not be accessible through Internet Explorer 11 or Microsoft Edge.

    Affected platforms:
    • Client: Windows 10, version 1809; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10, version 1507; Windows 8.1; Windows 7 SP1 
    • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1
    Resolution: We have released an \"optional, out-of-band\" update for Windows 10 (KB4505052) to resolve this issue. If you are affected, we recommend you apply this update by installing KB4505052 from Windows Update and then restarting your device.

    This update will not be applied automatically. To download and install this update, go to Settings > Update & Security > Windows Update and select Check for updates. To get the standalone package for KB4505052, search for it in the Microsoft Update Catalog.
     

    Back to top    		OS Build 14393.2969

    May 14, 2019
    KB4494440    		Resolved
    KB4505052    		Resolved:
    May 19, 2019
    02:00 PM PT

    Opened:
    May 16, 2019
    01:57 PM PT
    Layout and cell size of Excel sheets may change when using MS UI Gothic
    When using the MS UI Gothic or MS PGothic fonts, the text, layout, or cell size may become narrower or wider than expected in Microsoft Excel. For example, the layout and cell size of Microsoft Excel sheets may change when using MS UI Gothic.

    Affected platforms:
    • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1
    • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
    Resolution: This issue has been resolved.

    Back to top    		OS Build 14393.2941

    April 25, 2019
    KB4493473    		Resolved
    KB4494440    		Resolved:
    May 14, 2019
    10:00 AM PT

    Opened:
    May 10, 2019
    10:35 AM PT
    @@ -107,7 +108,6 @@ sections: -
    DetailsOriginating updateStatusHistory
    Issue using PXE to start a device from WDS
    After installing KB4489882, there may be issues using the Preboot Execution Environment (PXE) to start a device from a Windows Deployment Services (WDS) server configured to use Variable Window Extension. This may cause the connection to the WDS server to terminate prematurely while downloading the image. This issue does not affect clients or devices that are not using Variable Window Extension.

    Affected platforms:
    • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 8.1
    • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
    Workaround: To mitigate the issue, disable the Variable Window Extension on WDS server using one of the following options:

    Option 1:
    Open an Administrator Command prompt and type the following:
    Wdsutil /Set-TransportServer /EnableTftpVariableWindowExtension:No

    Option 2:
    Use the Windows Deployment Services UI to make the following adjustment:
    1. Open Windows Deployment Services from Windows Administrative Tools.
    2. Expand Servers and right-click a WDS server.
    3. Open its properties and clear the Enable Variable Window Extension box on the TFTP tab.
    Option 3:
    Set the following registry value to 0:
    HKLM\\System\\CurrentControlSet\\Services\\WDSServer\\Providers\\WDSTFTP\\EnableVariableWindowExtension

    Restart the WDSServer service after disabling the Variable Window Extension.

    Next steps: Microsoft is working on a resolution and will provide an update in an upcoming release.

    Back to top    		OS Build 14393.2848

    March 12, 2019
    KB4489882    		Mitigated
    		Last updated:
    April 25, 2019
    02:00 PM PT

    Opened:
    March 12, 2019
    10:00 AM PT
    Custom URI schemes may not start corresponding application
    After installing KB4489882, Custom URI schemes for application protocol handlers may not start the corresponding application for local intranet and trusted sites security zones on Internet Explorer.

    Affected platforms: 
    • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1; Windows 7 SP1 
    • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2008 R2 SP1
    Resolution: This issue is resolved in KB4493473

    Back to top    		OS Build 14393.2848

    March 12, 2019
    KB4489882    		Resolved
    KB4493473    		Resolved:
    April 25, 2019
    02:00 PM PT

    Opened:
    March 12, 2019
    10:00 AM PT
    " diff --git a/windows/release-information/status-windows-10-1703.yml b/windows/release-information/status-windows-10-1703.yml index 7190ce8dc6..0b291ebc3c 100644 --- a/windows/release-information/status-windows-10-1703.yml +++ b/windows/release-information/status-windows-10-1703.yml @@ -5,7 +5,7 @@ title: Windows 10, version 1703 metadata: document_id: title: Windows 10, version 1703 - description: View annoucements and review known issues and fixes for Windows 10 version 1703 + description: View announcements and review known issues and fixes for Windows 10 version 1703 keywords: Windows 10, issues, fixes, announcements, Windows Server, advisories ms.localizationpriority: high author: greg-lindsay @@ -63,7 +63,6 @@ sections:
    Certain operations performed on a Cluster Shared Volume may fail
    Certain operations, such as rename, performed on files or folders on a Cluster Shared Volume (CSV) may fail with the error, \"STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\".

    See details >OS Build 15063.1563

    January 08, 2019
    KB4480973Mitigated
    April 25, 2019
    02:00 PM PT
    Unable to access some gov.uk websites
    gov.uk websites that don’t support “HSTS” may not be accessible

    See details >OS Build 15063.1805

    May 14, 2019
    KB4499181Resolved
    KB4505055May 19, 2019
    02:00 PM PT
    Layout and cell size of Excel sheets may change when using MS UI Gothic
    When using the MS UI Gothic or MS PGothic fonts, the text, layout, or cell size may become narrower or wider than expected in Microsoft Excel.

    See details >OS Build 15063.1784

    April 25, 2019
    KB4493436Resolved
    KB4499181May 14, 2019
    10:00 AM PT -
    Custom URI schemes may not start corresponding application
    Custom URI schemes for application protocol handlers may not start the corresponding application for local intranet and trusted sites in Internet Explorer.

    See details >OS Build 15063.1689

    March 12, 2019
    KB4489871Resolved
    KB4493436April 25, 2019
    02:00 PM PT " @@ -84,15 +83,6 @@ sections: " -- title: March 2019 -- items: - - type: markdown - text: " - - -
    DetailsOriginating updateStatusHistory
    Custom URI schemes may not start corresponding application
    After installing KB4489871, custom URI schemes for application protocol handlers may not start the corresponding application for local intranet and trusted sites security zones on Internet Explorer.

    Affected platforms:
    • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1; Windows 7 SP1 
    • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2008 R2 SP1
    Resolution: This issue is resolved in KB4493436

    Back to top    		OS Build 15063.1689

    March 12, 2019
    KB4489871    		Resolved
    KB4493436    		Resolved:
    April 25, 2019
    02:00 PM PT

    Opened:
    March 12, 2019
    10:00 AM PT
    - " - - title: January 2019 - items: - type: markdown diff --git a/windows/release-information/status-windows-10-1709.yml b/windows/release-information/status-windows-10-1709.yml index 165d1cbd86..e2195cb7e2 100644 --- a/windows/release-information/status-windows-10-1709.yml +++ b/windows/release-information/status-windows-10-1709.yml @@ -5,7 +5,7 @@ title: Windows 10, version 1709 and Windows Server, version 1709 metadata: document_id: title: Windows 10, version 1709 and Windows Server, version 1709 - description: View annoucements and review known issues and fixes for Windows 10 version 1709 and Windows Server 1709 + description: View announcements and review known issues and fixes for Windows 10 version 1709 and Windows Server 1709 keywords: Windows 10, issues, fixes, announcements, Windows Server, advisories ms.localizationpriority: high author: greg-lindsay @@ -64,7 +64,6 @@ sections:
    Unable to access some gov.uk websites
    gov.uk websites that don’t support “HSTS” may not be accessible

    See details >OS Build 16299.1143

    May 14, 2019
    KB4498946Resolved
    KB4505062May 19, 2019
    02:00 PM PT
    Layout and cell size of Excel sheets may change when using MS UI Gothic
    When using the MS UI Gothic or MS PGothic fonts, the text, layout, or cell size may become narrower or wider than expected in Microsoft Excel.

    See details >OS Build 16299.1127

    April 25, 2019
    KB4493440Resolved
    KB4499179May 14, 2019
    10:00 AM PT
    Zone transfers over TCP may fail
    Zone transfers between primary and secondary DNS servers over the Transmission Control Protocol (TCP) may fail.

    See details >OS Build 16299.1127

    April 25, 2019
    KB4493440Resolved
    KB4499179May 14, 2019
    10:00 AM PT -
    Custom URI schemes may not start corresponding application
    Custom URI schemes for application protocol handlers may not start the corresponding application for local intranet and trusted sites in Internet Explorer.

    See details >OS Build 16299.1029

    March 12, 2019
    KB4489886Resolved
    KB4493440April 25, 2019
    02:00 PM PT " @@ -94,15 +93,6 @@ sections: " -- title: March 2019 -- items: - - type: markdown - text: " - - -
    DetailsOriginating updateStatusHistory
    Custom URI schemes may not start corresponding application
    After installing KB4489886, custom URI schemes for application protocol handlers may not start the corresponding application for local intranet and trusted sites security zones on Internet Explorer.

    Affected platforms:
    • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1; Windows 7 SP1 
    • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2008 R2 SP1
    Resolution: This issue is resolved in KB4493440

    Back to top    		OS Build 16299.1029

    March 12, 2019
    KB4489886    		Resolved
    KB4493440    		Resolved:
    April 25, 2019
    02:00 PM PT

    Opened:
    March 12, 2019
    10:00 AM PT
    - " - - title: January 2019 - items: - type: markdown diff --git a/windows/release-information/status-windows-10-1803.yml b/windows/release-information/status-windows-10-1803.yml index 102e57aef1..1c68256e88 100644 --- a/windows/release-information/status-windows-10-1803.yml +++ b/windows/release-information/status-windows-10-1803.yml @@ -5,7 +5,7 @@ title: Windows 10, version 1803 metadata: document_id: title: Windows 10, version 1803 - description: View annoucements and review known issues and fixes for Windows 10 version 1803 + description: View announcements and review known issues and fixes for Windows 10 version 1803 keywords: Windows 10, issues, fixes, announcements, Windows Server, advisories ms.localizationpriority: high author: greg-lindsay @@ -65,7 +65,6 @@ sections:
    Unable to access some gov.uk websites
    gov.uk websites that don’t support “HSTS” may not be accessible

    See details >OS Build 17134.765

    May 14, 2019
    KB4499167Resolved
    KB4505064May 19, 2019
    02:00 PM PT
    Layout and cell size of Excel sheets may change when using MS UI Gothic
    When using the MS UI Gothic or MS PGothic fonts, the text, layout, or cell size may become narrower or wider than expected in Microsoft Excel.

    See details >OS Build 17134.753

    April 25, 2019
    KB4493437Resolved
    KB4499167May 14, 2019
    10:00 AM PT
    Zone transfers over TCP may fail
    Zone transfers between primary and secondary DNS servers over the Transmission Control Protocol (TCP) may fail.

    See details >OS Build 17134.753

    April 25, 2019
    KB4493437Resolved
    KB4499167May 14, 2019
    10:00 AM PT -
    Custom URI schemes may not start corresponding application
    Custom URI schemes for application protocol handlers may not start the corresponding application for local intranet and trusted sites in Internet Explorer.

    See details >OS Build 17134.648

    March 12, 2019
    KB4489868Resolved
    KB4493437April 25, 2019
    02:00 PM PT " @@ -102,7 +101,6 @@ sections: -
    DetailsOriginating updateStatusHistory
    Issue using PXE to start a device from WDS
    After installing KB4489868, there may be issues using the Preboot Execution Environment (PXE) to start a device from a Windows Deployment Services (WDS) server configured to use Variable Window Extension. This may cause the connection to the WDS server to terminate prematurely while downloading the image. This issue does not affect clients or devices that are not using Variable Window Extension. 

    Affected platforms:
    • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 8.1
    • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
    Workaround: To mitigate the issue, disable the Variable Window Extension on WDS server using one of the following options:

    Option 1: 
    Open an Administrator Command prompt and type the following:  
    Wdsutil /Set-TransportServer /EnableTftpVariableWindowExtension:No

     Option 2: 
    Use the Windows Deployment Services UI to make the following adjustment:  
    1. Open Windows Deployment Services from Windows Administrative Tools. 
    2. Expand Servers and right-click a WDS server. 
    3. Open its properties and clear the Enable Variable Window Extension box on the TFTP tab.  
    Option 3: 
    Set the following registry value to 0:
    HKLM\\System\\CurrentControlSet\\Services\\WDSServer\\Providers\\WDSTFTP\\EnableVariableWindowExtension  

    Restart the WDSServer service after disabling the Variable Window Extension. 
     
    Next steps: Microsoft is working on a resolution and will provide an update in an upcoming release. 

    Back to top    		OS Build 17134.648

    March 12, 2019
    KB4489868    		Mitigated
    		Last updated:
    April 25, 2019
    02:00 PM PT

    Opened:
    March 12, 2019
    10:00 AM PT
    Custom URI schemes may not start corresponding application
    After installing KB4489868, custom URI schemes for application protocol handlers may not start the corresponding application for local intranet and trusted sites security zones on Internet Explorer. 

    Affected platforms:
    • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1; Windows 7 SP1 
    • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2008 R2 SP1
    Resolution: This issue is resolved in KB4493437

    Back to top    		OS Build 17134.648

    March 12, 2019
    KB4489868    		Resolved
    KB4493437    		Resolved:
    April 25, 2019
    02:00 PM PT

    Opened:
    March 12, 2019
    10:00 AM PT
    " diff --git a/windows/release-information/status-windows-10-1809-and-windows-server-2019.yml b/windows/release-information/status-windows-10-1809-and-windows-server-2019.yml index 0a80e53db1..c19588480c 100644 --- a/windows/release-information/status-windows-10-1809-and-windows-server-2019.yml +++ b/windows/release-information/status-windows-10-1809-and-windows-server-2019.yml @@ -5,7 +5,7 @@ title: Windows 10, version 1809 and Windows Server 2019 metadata: document_id: title: Windows 10, version 1809 and Windows Server 2019 - description: View annoucements and review known issues and fixes for Windows 10 version 1809 and Windows Server 2019 + description: View announcements and review known issues and fixes for Windows 10 version 1809 and Windows Server 2019 keywords: Windows 10, issues, fixes, announcements, Windows Server, advisories ms.localizationpriority: high author: greg-lindsay diff --git a/windows/release-information/status-windows-10-1903.yml b/windows/release-information/status-windows-10-1903.yml index d38140c25f..ec803d2fa7 100644 --- a/windows/release-information/status-windows-10-1903.yml +++ b/windows/release-information/status-windows-10-1903.yml @@ -5,7 +5,7 @@ title: Windows 10, version 1903 and Windows Server, version 1903 metadata: document_id: title: Windows 10, version 1903 and Windows Server, version 1903 - description: View annoucements and review known issues and fixes for Windows 10 version 1903 and Windows Server 1903 + description: View announcements and review known issues and fixes for Windows 10 version 1903 and Windows Server 1903 keywords: Windows 10, issues, fixes, announcements, Windows Server, advisories ms.localizationpriority: high author: greg-lindsay @@ -65,13 +65,15 @@ sections: - type: markdown text: "
    This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.

    + + + - @@ -92,13 +94,15 @@ sections: - type: markdown text: "
    SummaryOriginating updateStatusLast updated
    Windows Sandbox may fail to start with error code “0x80070002”
    Windows Sandbox may fail to start with \"ERROR_FILE_NOT_FOUND (0x80070002)\" on devices in which the operating system language was changed between updates

    See details >    		OS Build 18362.116

    May 20, 2019
    KB4505057    		Acknowledged
    		May 24, 2019
    04:20 PM PT
    Loss of functionality in Dynabook Smartphone Link app
    After updating to Windows 10, version 1903, you may experience a loss of functionality when using the Dynabook Smartphone Link application.

    See details >    		OS Build 18362.116

    May 20, 2019
    KB4505057    		Investigating
    		May 24, 2019
    03:10 PM PT
    Display brightness may not respond to adjustments
    Microsoft and Intel have identified a driver compatibility issue on devices configured with certain Intel display drivers.

    See details >    		OS Build 18362.116

    May 21, 2019
    KB4505057    		Investigating
    		May 21, 2019
    04:47 PM PT
    Audio not working with Dolby Atmos headphones and home theater
    Users may experience audio loss with Dolby Atmos headphones or Dolby Atmos home theater.

    See details >    		OS Build 18362.116

    May 21, 2019
    KB4505057    		Investigating
    		May 21, 2019
    07:17 AM PT
    Duplicate folders and documents showing in user profile directory
    If known folders (e.g. Desktop, Documents, or Pictures folders) are redirected, an empty folder with that same name may be created.

    See details >    		OS Build 18362.116

    May 21, 2019
    KB4505057    		Investigating
    		May 21, 2019
    07:16 AM PT
    Gamma ramps, color profiles, and night light settings do not apply in some cases
    Microsoft has identified some scenarios where gamma ramps, color profiles and night light settings may stop working.

    See details >    		OS Build 18362.116

    May 21, 2019
    KB4505057    		Mitigated
    		May 24, 2019
    11:02 AM PT
    AMD RAID driver incompatibility
    Installation process may stop when trying to install Windows 10, version 1903 update on computers that run certain versions of AMD RAID drivers.

    See details >    		OS Build 18362.116

    May 21, 2019
    KB4505057    		Mitigated
    		May 23, 2019
    09:28 AM PT
    Error attempting to update with external USB device or memory card attached
    PCs with an external USB device or SD memory card attached may get error: \"This PC can't be upgraded to Windows 10.\"

    See details >    		OS Build 18362.116

    May 21, 2019
    KB4505057    		Mitigated
    		May 21, 2019
    04:49 PM PT
    Unable to discover or connect to Bluetooth devices
    Microsoft has identified compatibility issues with some versions of Realtek and Qualcomm Bluetooth radio drivers.

    See details >    		OS Build 18362.116

    May 21, 2019
    KB4505057    		Mitigated
    		May 21, 2019
    04:48 PM PT
    Night light settings do not apply in some cases
    Microsoft has identified some scenarios where night light settings may stop working.

    See details >    		OS Build 18362.116

    May 21, 2019
    KB4505057    		Mitigated
    		May 21, 2019
    04:48 PM PT
    Intel Audio displays an intcdaud.sys notification
    Microsoft and Intel have identified an issue with a range of Intel Display Audio device drivers that may result in battery drain.

    See details >    		OS Build 18362.116

    May 21, 2019
    KB4505057    		Mitigated
    		May 21, 2019
    04:47 PM PT
    Cannot launch Camera app
    Microsoft and Intel have identified an issue affecting Intel RealSense SR300 or Intel RealSense S200 camera apps.

    See details >    		OS Build 18362.116

    May 21, 2019
    KB4505057    		Mitigated
    		May 21, 2019
    04:47 PM PT
    Intermittent loss of Wi-Fi connectivity
    Some older devices may experience loss of Wi-Fi connectivity due to an outdated Qualcomm driver.

    See details >    		OS Build 18362.116

    May 21, 2019
    KB4505057    		Mitigated
    		May 21, 2019
    04:46 PM PT
    + + + - diff --git a/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1.yml b/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1.yml index 0a772954f6..70bb640684 100644 --- a/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1.yml +++ b/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1.yml @@ -5,7 +5,7 @@ title: Windows 7 and Windows Server 2008 R2 SP1 metadata: document_id: title: Windows 7 and Windows Server 2008 R2 SP1 - description: View annoucements and review known issues and fixes for Windows 7 and Windows Server 2008 R2 SP1 + description: View announcements and review known issues and fixes for Windows 7 and Windows Server 2008 R2 SP1 keywords: Windows 10, issues, fixes, announcements, Windows Server, advisories ms.localizationpriority: high author: greg-lindsay @@ -66,7 +66,6 @@ sections: -
    DetailsOriginating updateStatusHistory
    Windows Sandbox may fail to start with error code “0x80070002”
    Windows Sandbox may fail to start with \"ERROR_FILE_NOT_FOUND (0x80070002)\" on devices in which the operating system language is changed during the update process when installing Windows 10, version 1903.

    Affected platforms:
    • Client: Windows 10, version 1903
    Next steps: We are working on a resolution and estimate a solution will be available in late June.

    Back to top    		OS Build 18362.116

    May 20, 2019
    KB4505057    		Acknowledged
    		Last updated:
    May 24, 2019
    04:20 PM PT

    Opened:
    May 24, 2019
    04:20 PM PT
    Loss of functionality in Dynabook Smartphone Link app
    Some users may experience a loss of functionality after updating to Windows 10, version 1903 when using the Dynabook Smartphone Link application on Windows devices. Loss of functionality may affect the display of phone numbers in the Call menu and the ability to answer phone calls on the Windows PC.

    To safeguard your update experience, we have applied a compatibility hold on devices with Dynabook Smartphone Link from being offered Windows 10, version 1903, until this issue is resolved.

    Affected platforms:
    • Client: Windows 10, version 1903
    Next steps: Microsoft and Dynabook are working on a resolution; the Dynabook Smartphone Link application may have a loss of functionality until this issue is resolved.

    Note We recommend that you do not attempt to manually update using the Update now button or the Media Creation Tool until this issue has been resolved.

    Back to top    		OS Build 18362.116

    May 20, 2019
    KB4505057    		Investigating
    		Last updated:
    May 24, 2019
    03:10 PM PT

    Opened:
    May 24, 2019
    03:10 PM PT
    Display brightness may not respond to adjustments
    Microsoft and Intel have identified a driver compatibility issue on devices configured with certain Intel display drivers. After updating to Window 10, version 1903, brightness settings may sometime appear as if changes applied took effect, yet the actual display brightness doesn't change.

    To safeguard your update experience, we have applied a compatibility hold on devices with certain Intel drivers from being offered Windows 10, version 1903, until this issue is resolved.

    Affected platforms:
    • Client: Windows 10, version 1903
    Workaround: Restart your device to apply changes to brightness.

    Note We recommend that you do not attempt to manually update using the Update now button or the Media Creation Tool until this issue has been resolved.

    Next steps: We are working on a resolution that will be made available in upcoming release.

    Back to top    		OS Build 18362.116

    May 21, 2019
    KB4505057    		Investigating
    		Last updated:
    May 21, 2019
    04:47 PM PT

    Opened:
    May 21, 2019
    07:56 AM PT
    Audio not working with Dolby Atmos headphones and home theater
    After updating to Windows 10, version 1903, you may experience loss of audio with Dolby Atmos for home theater (free extension) or Dolby Atmos for headphones (paid extension) acquired through the Microsoft Store due to a licensing configuration error.
     
    This occurs due to an issue with a Microsoft Store licensing component, where license holders are not able to connect to the Dolby Access app and enable Dolby Atmos extensions.
     
    To safeguard your update experience, we have applied protective hold on devices from being offered Windows 10, version 1903 until this issue is resolved. This configuration error will not result in loss of access for the acquired license once the problem is resolved.

    Affected platforms:
    • Client: Windows 10, version 1903
    Next steps: We are working on a resolution for Microsoft Store and estimate a solution will be available in mid-June.
    Note We recommend you do not attempt to manually update using the Update now button or the Media Creation Tool until this issue has been resolved. 

    Back to top    		OS Build 18362.116

    May 21, 2019
    KB4505057    		Investigating
    		Last updated:
    May 21, 2019
    07:17 AM PT

    Opened:
    May 21, 2019
    07:16 AM PT
    Duplicate folders and documents showing in user profile directory
    If you have redirected known folders (e.g. Desktop, Documents, or Pictures folders) you may see an empty folder with the same name in your %userprofile% directories after updating to Windows 10, version 1903. This may occur if known folders were redirected when you chose to back up your content to OneDrive using the OneDrive wizard, or if you chose to back up your content during the Windows Out-of-Box-Experience (OOBE). This may also occur if you redirected your known folders manually through the Properties dialog box in File Explorer. ​This issue does not cause any user files to be deleted and a solution is in progress.

    To safeguard your update experience, we have applied a quality hold on devices with redirected known folders from being offered Windows 10, version 1903, until this issue is resolved.

    Affected platforms:
    • Client: Windows 10, version 1903
    Next steps: Microsoft is working on a resolution and estimates a solution will be available in late May.
    Note We recommend that you do not attempt to manually update to Windows 10, version 1903 using the Update now button or the Media Creation Tool until this issue has been resolved.

    Back to top    		OS Build 18362.116

    May 21, 2019
    KB4505057    		Investigating
    		Last updated:
    May 21, 2019
    07:16 AM PT

    Opened:
    May 21, 2019
    07:16 AM PT
    Gamma ramps, color profiles, and night light settings do not apply in some cases
    Microsoft has identified some scenarios where gamma ramps, color profiles and night light settings may stop working.

    Microsoft has identified some scenarios where night light settings may stop working, for example:
    • Connecting to (or disconnecting from) an external monitor, dock, or projector
    • Rotating the screen
    • Updating display drivers or making other display mode changes
    • Closing full screen applications
    • Applying custom color profiles
    • Running applications that rely on custom gamma ramps
    Affected platforms:
    • Client: Windows 10, version 1903
    Workaround: If you find that your night light has stopped working, try turning the night light off and on, or restarting your computer. For other color setting issues, restart your computer to correct the issue.

    Note We recommend that you do not attempt to manually update using the Update now button or the Media Creation Tool until this issue has been resolved.

    Next steps: We are working on a resolution and will provide an update in an upcoming release.

    Back to top    		OS Build 18362.116

    May 21, 2019
    KB4505057    		Mitigated
    		Last updated:
    May 24, 2019
    11:02 AM PT

    Opened:
    May 21, 2019
    07:28 AM PT
    AMD RAID driver incompatibility
    Microsoft and AMD have identified an incompatibility with AMD RAID driver versions earlier than 9.2.0.105. When you attempt to install the Windows 10, version 1903 update on a Windows 10-based computer with an affected driver version, the installation process stops and you get a message like the following:

    AMD Ryzen™ or AMD Ryzen™ Threadripper™ configured in SATA or NVMe RAID mode.

    “A driver is installed that causes stability problems on Windows. This driver will be disabled. Check with your software/driver provider for an updated version that runs on this version of Windows.”

     
    To safeguard your update experience, we have applied a compatibility hold on devices with these AMD drivers from being offered Windows 10, version 1903, until this issue is resolved.

    Affected platforms:
    • Client: Windows 10, version 1903
    Workaround: To resolve this issue, download the latest AMD RAID drivers directly from AMD at https://www.amd.com/en/support/chipsets/amd-socket-tr4/x399. The drivers must be version 9.2.0.105 or later. Install the drivers on the affected computer, and then restart the installation process for the Windows 10, version 1903 feature update.
     
    Note We recommend that you do not attempt to manually update using the Update now button or the Media Creation Tool until a new driver has been installed and the Windows 10, version 1903 feature update has been automatically offered to you.
     

    Back to top    		OS Build 18362.116

    May 21, 2019
    KB4505057    		Mitigated
    		Last updated:
    May 23, 2019
    09:28 AM PT

    Opened:
    May 21, 2019
    07:12 AM PT
    Error attempting to update with external USB device or memory card attached
    If you have an external USB device or SD memory card attached when installing Windows 10, version 1903, you may get an error message stating \"This PC can't be upgraded to Windows 10.\" This is caused by inappropriate drive reassignment during installation.

    Sample scenario: An update to Windows 10, version 1903 is attempted on a computer that has a thumb drive inserted into its USB port. Before the update, the thumb drive is mounted in the system as drive G based on the existing drive configuration. After the feature update is installed; however, the device is reassigned a different drive letter (e.g., drive H).

    Note The drive reassignment is not limited to removable drives. Internal hard drives may also be affected.

    To safeguard your update experience, we have applied a hold on devices with an external USB device or SD memory card attached from being offered Windows 10, version 1903 until this issue is resolved.

    Affected platforms:
    • Client: Windows 10, version 1903
    Workaround: To work around this issue, remove all external media, such as USB devices and SD cards, from your computer and restart installation of the Windows 10, version 1903 feature update. The update should then proceed normally.
    Note If you need to keep your external device, SD memory card, or other devices attached to your computer while updating, we recommend that you do not attempt to manually update to Windows 10, version 1903 using the Update now button or the Media Creation Tool until this issue has been resolved.

    Next steps: Microsoft is working on a resolution and estimate a solution will be available in late May.

    Back to top    		OS Build 18362.116

    May 21, 2019
    KB4505057    		Mitigated
    		Last updated:
    May 21, 2019
    04:49 PM PT

    Opened:
    May 21, 2019
    07:38 AM PT
    Unable to discover or connect to Bluetooth devices
    Microsoft has identified compatibility issues with some driver versions for Bluetooth radios made by Realtek and Qualcomm. To safeguard your update experience, we have applied a compatibility hold on devices with affected driver versions for Realtek or Qualcomm Bluetooth radios from being offered Windows 10, version 1903 or Windows Server, version 1903 until the driver has been updated.

    Affected platforms:
    • Client: Windows 10, version 1903
    • Server: Windows Server, version 1903
    Workaround: Check with your device manufacturer (OEM) to see if an updated driver is available and install it.

    • For Qualcomm drivers, you will need to install a driver version greater than 10.0.1.11.
    • For Realtek drivers, you will need to install a driver version greater than 1.5.1011.0.
    Note Until an updated driver has been installed, we recommend you do not attempt to manually update using the Update now button or the Media Creation Tool. 

    Next steps: Microsoft is working with Realtek and Qualcomm to release new drivers for all affected system via Windows Update.  


    Back to top    		OS Build 18362.116

    May 21, 2019
    KB4505057    		Mitigated
    		Last updated:
    May 21, 2019
    04:48 PM PT

    Opened:
    May 21, 2019
    07:29 AM PT
    Night light settings do not apply in some cases
    Microsoft has identified some scenarios where night light settings may stop working, for example:
    • Connecting to (or disconnecting from) an external monitor, dock, or projector
    • Rotating the screen
    • Updating display drivers or making other display mode changes
    Affected platforms:
    • Client: Windows 10, version 1903
    Workaround: If you find that your night light settings have stopped working, try turning the night light on and off, or restart your computer.  

    Note We recommend that you do not attempt to manually update using the Update now button or the Media Creation Tool until this issue has been resolved.

    Next steps: We are working on a resolution and will provide an update in an upcoming release.


    Back to top    		OS Build 18362.116

    May 21, 2019
    KB4505057    		Mitigated
    		Last updated:
    May 21, 2019
    04:48 PM PT

    Opened:
    May 21, 2019
    07:28 AM PT
    Intel Audio displays an intcdaud.sys notification
    Microsoft and Intel have identified an issue with a range of Intel Display Audio device drivers that may result in higher than normal battery drain. If you see an intcdaud.sys notification or “What needs your attention” notification when trying to update to Windows 10, version 1903, you have an affected Intel Audio Display device driver installed on your machine (intcdaud.sys, versions 10.25.0.3 through 10.25.0.8).
      
    To safeguard your update experience, we have applied a compatibility hold on devices with drivers from being offered Windows 10, version 1903 until updated device drivers have been installed.

    Affected platforms:
    • Client: Windows 10, version 1903; Windows 10, version 1809
    Workaround:
    On the “What needs your attention\" notification, click the Back button to remain on your current version of Windows 10. (Do not click Confirm as this will proceed with the update and you may experience compatibility issues.) Affected devices will automatically revert to the previous working configuration.

    For more information, see Intel's customer support guidance and the Microsoft knowledge base article KB4465877.

    Note We recommend you do not attempt to update your devices until newer device drivers are installed.

    Next steps: You can opt to wait for newer drivers to be installed automatically through Windows Update or check with the computer manufacturer for the latest device driver software availability and installation procedures.

    Back to top    		OS Build 18362.116

    May 21, 2019
    KB4505057    		Mitigated
    		Last updated:
    May 21, 2019
    04:47 PM PT

    Opened:
    May 21, 2019
    07:22 AM PT
    Cannot launch Camera app
    Microsoft and Intel have identified an issue affecting Intel RealSense SR300 and Intel RealSense S200 cameras when using the Camera app. After updating to the Windows 10 May 2019 Update and launching the Camera app, you may get an error message stating:

    \"Close other apps, error code: 0XA00F4243.”


    To safeguard your update experience, we have applied a protective hold on machines with Intel RealSense SR300 or Intel RealSense S200 cameras installed from being offered Windows 10, version 1903, until this issue is resolved.

    Affected platforms:
    • Client: Windows 10, version 1903
    Workaround: To temporarily resolve this issue, perform one of the following:

    • Unplug your camera and plug it back in.

    or

    • Disable and re-enable the driver in Device Manager. In the Search box, type \"Device Manager\" and press Enter. In the Device Manager dialog box, expand Cameras, then right-click on any RealSense driver listed and select Disable device. Right click on the driver again and select Enable device.

    or

    • Restart the RealSense service. In the Search box, type \"Task Manager\" and hit Enter. In the Task Manager dialog box, click on the Services tab, right-click on RealSense, and select Restart
    Note This workaround will only resolve the issue until your next system restart.

    Note We recommend that you do not attempt to manually update using the Update now button or the Media Creation Tool until this issue has been resolved.

    Next steps: We are working on a resolution and will provide an update in an upcoming release.

    Back to top    		OS Build 18362.116

    May 21, 2019
    KB4505057    		Mitigated
    		Last updated:
    May 21, 2019
    04:47 PM PT

    Opened:
    May 21, 2019
    07:20 AM PT
    Intermittent loss of Wi-Fi connectivity
    Some older computers may experience loss of Wi-Fi connectivity due to an outdated Qualcomm driver. An updated Wi-Fi driver should be available from your device manufacturer (OEM).

    To safeguard your upgrade experience, we have applied a hold on devices with this Qualcomm driver from being offered Windows 10, version 1903, until the updated driver is installed.

    Affected platforms:
    • Client: Windows 10, version 1903
    Workaround: Download and install an updated Wi-Fi driver from your device manufacturer (OEM).
     
    Note We recommend that you do not attempt to manually update using the Update now button or the Media Creation Tool until a new driver has been installed and the Windows 10, version 1903 feature update has been automatically offered to you.

    Back to top    		OS Build 18362.116

    May 21, 2019
    KB4505057    		Mitigated
    		Last updated:
    May 21, 2019
    04:46 PM PT

    Opened:
    May 21, 2019
    07:13 AM PT
    System unresponsive after restart if Sophos Endpoint Protection installed
    Devices with Sophos Endpoint Protection installed and managed by Sophos Central or Sophos Enterprise Console (SEC) may become unresponsive upon restart.

    See details >    		April 09, 2019
    KB4493472    		Resolved
    		May 14, 2019
    01:22 PM PT
    System may be unresponsive after restart if Avira antivirus software installed
    Devices with Avira antivirus software installed may become unresponsive upon restart.

    See details >    		April 09, 2019
    KB4493472    		Resolved
    		May 14, 2019
    01:21 PM PT
    Authentication may fail for services after the Kerberos ticket expires
    Authentication may fail for services that require unconstrained delegation after the Kerberos ticket expires.

    See details >    		March 12, 2019
    KB4489878    		Resolved
    KB4499164    		May 14, 2019
    10:00 AM PT
    Devices may not respond at login or Welcome screen if running certain Avast software
    Devices running Avast for Business, Avast CloudCare, and AVG Business Edition antivirus software may become unresponsive after restart.

    See details >    		April 09, 2019
    KB4493472    		Resolved
    		April 25, 2019
    02:00 PM PT
    " @@ -95,7 +94,6 @@ sections:
    System may be unresponsive after restart if ArcaBit antivirus software installed
    Microsoft and ArcaBit have identified an issue on devices with ArcaBit antivirus software installed that may cause the system to become unresponsive upon restart after installing KB4493472.

    Affected platforms:
    Resolution: This issue has been resolved. Microsoft has removed the temporary block for all affected Windows updates. ArcaBit has released an update to address this issue. For more information, see the Arcabit support article.

    Back to topApril 09, 2019
    KB4493472Resolved
    Resolved:
    May 14, 2019
    01:23 PM PT

    Opened:
    April 09, 2019
    10:00 AM PT
    System unresponsive after restart if Sophos Endpoint Protection installed
    Microsoft and Sophos have identified an issue on devices with Sophos Endpoint Protection installed and managed by either Sophos Central or Sophos Enterprise Console (SEC) that may cause the system to become unresponsive upon restart after installing KB4493472.

    Affected platforms: 
    Resolution: This issue has been resolved. Microsoft has removed the temporary block for all affected Windows updates. Sophos has released an update to address this issue. Guidance for Sophos Endpoint and Sophos Enterprise Console customers can be found in the Sophos support article.

    Back to topApril 09, 2019
    KB4493472Resolved
    Resolved:
    May 14, 2019
    01:22 PM PT

    Opened:
    April 09, 2019
    10:00 AM PT
    System may be unresponsive after restart if Avira antivirus software installed
    Microsoft and Avira have identified an issue on devices with Avira antivirus software installed that may cause the system to become unresponsive upon restart after installing KB4493472.

    Affected platforms: 
    Resolution: This issue has been resolved. Microsoft has removed the temporary block for all affected Windows updates. Avira has released an automatic update to address this issue. Guidance for Avira customers can be found in the Avira support article.

    Back to topApril 09, 2019
    KB4493472Resolved
    Resolved:
    May 14, 2019
    01:21 PM PT

    Opened:
    April 09, 2019
    10:00 AM PT -
    Devices may not respond at login or Welcome screen if running certain Avast software
    Microsoft and Avast have identified an issue on devices running Avast for Business, Avast CloudCare, and AVG Business Edition antivirus software after you install KB4493472 and restart. Devices may become unresponsive at the login or Welcome screen. Additionally, you may be unable to log in or log in after an extended period of time.

    Affected platforms: 
    Resolution: Avast has released emergency updates to address this issue. For more information and AV update schedule, see the Avast support KB article.

    Back to topApril 09, 2019
    KB4493472Resolved
    Resolved:
    April 25, 2019
    02:00 PM PT

    Opened:
    April 09, 2019
    10:00 AM PT " diff --git a/windows/release-information/status-windows-8.1-and-windows-server-2012-r2.yml b/windows/release-information/status-windows-8.1-and-windows-server-2012-r2.yml index 95074ee9dd..e76412be72 100644 --- a/windows/release-information/status-windows-8.1-and-windows-server-2012-r2.yml +++ b/windows/release-information/status-windows-8.1-and-windows-server-2012-r2.yml @@ -5,7 +5,7 @@ title: Windows 8.1 and Windows Server 2012 R2 metadata: document_id: title: Windows 8.1 and Windows Server 2012 R2 - description: View annoucements and review known issues and fixes for Windows 8.1 and Windows Server 2012 R2 + description: View announcements and review known issues and fixes for Windows 8.1 and Windows Server 2012 R2 keywords: Windows 10, issues, fixes, announcements, Windows Server, advisories ms.localizationpriority: high author: greg-lindsay @@ -69,7 +69,6 @@ sections:
    System may be unresponsive after restart if ArcaBit antivirus software installed
    Devices with ArcaBit antivirus software installed may become unresponsive upon restart.

    See details >April 09, 2019
    KB4493446Resolved
    May 14, 2019
    01:22 PM PT
    System unresponsive after restart if Sophos Endpoint Protection installed
    Devices with Sophos Endpoint Protection installed and managed by Sophos Central or Sophos Enterprise Console (SEC) may become unresponsive upon restart.

    See details >April 09, 2019
    KB4493446Resolved
    May 14, 2019
    01:22 PM PT
    System may be unresponsive after restart if Avira antivirus software installed
    Devices with Avira antivirus software installed may become unresponsive upon restart.

    See details >April 09, 2019
    KB4493446Resolved
    May 14, 2019
    01:21 PM PT -
    Devices may not respond at login or Welcome screen if running certain Avast software
    Devices running Avast for Business, Avast CloudCare, and AVG Business Edition antivirus software may become unresponsive after restart.

    See details >April 09, 2019
    KB4493446Resolved
    April 25, 2019
    02:00 PM PT " @@ -100,7 +99,6 @@ sections:
    System may be unresponsive after restart if ArcaBit antivirus software installed
    Microsoft and ArcaBit have identified an issue on devices with ArcaBit antivirus software installed that may cause the system to become unresponsive upon restart after installing KB4493446.

    Affected platforms:
    Resolution: This issue has been resolved. Microsoft has removed the temporary block for all affected Windows updates. ArcaBit has released an update to address this issue. For more information, see the Arcabit support article.

    Back to topApril 09, 2019
    KB4493446Resolved
    Resolved:
    May 14, 2019
    01:22 PM PT

    Opened:
    April 09, 2019
    10:00 AM PT
    System unresponsive after restart if Sophos Endpoint Protection installed
    Microsoft and Sophos have identified an issue on devices with Sophos Endpoint Protection installed and managed by either Sophos Central or Sophos Enterprise Console (SEC) that may cause the system to become unresponsive upon restart after installing KB4493446.

    Affected platforms: 
    Resolution: This issue has been resolved. Microsoft has removed the temporary block for all affected Windows updates. Sophos has released an update to address this issue. Guidance for Sophos Endpoint and Sophos Enterprise Console customers can be found in the Sophos support article.

    Back to topApril 09, 2019
    KB4493446Resolved
    Resolved:
    May 14, 2019
    01:22 PM PT

    Opened:
    April 09, 2019
    10:00 AM PT
    System may be unresponsive after restart if Avira antivirus software installed
    Microsoft and Avira have identified an issue on devices with Avira antivirus software installed that may cause the system to become unresponsive upon restart after installing KB4493446.

    Affected platforms: 
    Resolution: This issue has been resolved. Microsoft has removed the temporary block for all affected Windows updates. Avira has released an automatic update to address this issue. Guidance for Avira customers can be found in the Avira support article.

    Back to topApril 09, 2019
    KB4493446Resolved
    Resolved:
    May 14, 2019
    01:21 PM PT

    Opened:
    April 09, 2019
    10:00 AM PT -
    Devices may not respond at login or Welcome screen if running certain Avast software
    Microsoft and Avast have identified an issue on devices running Avast for Business, Avast CloudCare, and AVG Business Edition antivirus software after you install KB4493446 and restart. Devices may become unresponsive at the login or Welcome screen. Additionally, you may be unable to log in or log in after an extended period of time.

    Affected platforms: 
    Resolution: Avast has released emergency updates to address this issue. For more information and AV update schedule, see the Avast support KB article.

    Back to topApril 09, 2019
    KB4493446Resolved
    Resolved:
    April 25, 2019
    02:00 PM PT

    Opened:
    April 09, 2019
    10:00 AM PT " diff --git a/windows/release-information/status-windows-server-2008-sp2.yml b/windows/release-information/status-windows-server-2008-sp2.yml index 09c429ca4b..a38199a095 100644 --- a/windows/release-information/status-windows-server-2008-sp2.yml +++ b/windows/release-information/status-windows-server-2008-sp2.yml @@ -5,7 +5,7 @@ title: Windows Server 2008 SP2 metadata: document_id: title: Windows Server 2008 SP2 - description: View annoucements and review known issues and fixes for Windows Server 2008 SP2 + description: View announcements and review known issues and fixes for Windows Server 2008 SP2 keywords: Windows, Windows 10, issues, fixes, announcements, Windows Server, advisories ms.localizationpriority: high author: greg-lindsay diff --git a/windows/release-information/status-windows-server-2012.yml b/windows/release-information/status-windows-server-2012.yml index 3e8ed1b555..e98321c34c 100644 --- a/windows/release-information/status-windows-server-2012.yml +++ b/windows/release-information/status-windows-server-2012.yml @@ -5,7 +5,7 @@ title: Windows Server 2012 metadata: document_id: title: Windows Server 2012 - description: View annoucements and review known issues and fixes for Windows Server 2012 + description: View announcements and review known issues and fixes for Windows Server 2012 keywords: Windows 10, issues, fixes, announcements, Windows Server, advisories ms.localizationpriority: high author: greg-lindsay diff --git a/windows/security/identity-protection/access-control/special-identities.md b/windows/security/identity-protection/access-control/special-identities.md index 16e282f16f..0a07c86b2d 100644 --- a/windows/security/identity-protection/access-control/special-identities.md +++ b/windows/security/identity-protection/access-control/special-identities.md @@ -34,364 +34,153 @@ Although the special identity groups can be assigned rights and permissions to r For information about security groups and group scope, see [Active Directory Security Groups](active-directory-security-groups.md). -The special identity groups are described in the following tables. +The special identity groups are described in the following tables: -- [Anonymous Logon](#bkmk-anonymouslogon) +- [Anonymous Logon](#anonymous-logon) -- [Authenticated User](#bkmk-authenticateduser) +- [Authenticated User](#authenticated-users) -- [Batch](#bkmk-batch) +- [Batch](#batch) -- [Creator Group](#bkmk-creatorgroup) +- [Creator Group](#creator-group) -- [Creator Owner](#bkmk-creatorowner) +- [Creator Owner](#creator-owner) -- [Dialup](#bkmk-dialup) +- [Dialup](#dialup) -- [Digest Authentication](#bkmk-digestauth) +- [Digest Authentication](#digest-authentication) -- [Enterprise Domain Controllers](#bkmk-entdcs) +- [Enterprise Domain Controllers](#enterprise-domain-controllers) -- [Everyone](#bkmk-everyone) +- [Everyone](#everyone) -- [Interactive](#bkmk-interactive) +- [Interactive](#interactive) -- [Local Service](#bkmk-localservice) +- [Local Service](#local-service) -- [LocalSystem](#bkmk-localsystem) +- [LocalSystem](#localsystem) -- [Network](#bkmk-network) +- [Network](#network) -- [Network Service](#bkmk-networkservice) +- [Network Service](#network-service) -- [NTLM Authentication](#bkmk-ntlmauth) +- [NTLM Authentication](#ntlm-authentication) -- [Other Organization](#bkmk-otherorganization) +- [Other Organization](#other-organization) -- [Principal Self](#bkmk-principalself) +- [Principal Self](#principal-self) -- [Remote Interactive Logon](#bkmk-remoteinteractivelogon) +- [Remote Interactive Logon](#remote-interactive-logon) -- [Restricted](#bkmk-restrictedcode) +- [Restricted](#restricted) -- [SChannel Authentication](#bkmk-schannelauth) +- [SChannel Authentication](#schannel-authentication) -- [Service](#bkmk-service) +- [Service](#service) -- [Terminal Server User](#bkmk-terminalserveruser) +- [Terminal Server User](#terminal-server-user) -- [This Organization](#bkmk-thisorg) +- [This Organization](#this-organization) -- [Window Manager\\Window Manager Group](#bkmk-windowmanager) +- [Window Manager\\Window Manager Group](#window-manager-window-manager-group) -## Anonymous Logon +## Anonymous Logon Any user who accesses the system through an anonymous logon has the Anonymous Logon identity. This identity allows anonymous access to resources, such as a web page that is published on corporate servers. The Anonymous Logon group is not a member of the Everyone group by default. - ---- - - - - - - - - - - - - - - - - - - - - - - - - -
    AttributeValue

    Well-Known SID/RID

    S-1-5-7

    Object Class

    Foreign Security Principal

    Default Location in Active Directory

    cn=WellKnown Security Principals, cn=Configuration, dc=<forestRootDomain>

    Default User Rights

    None

    +| **Attribute** | **Value** | +| :--: | :--: | +| Well-Known SID/RID | S-1-5-7 | +|Object Class| Foreign Security Principal| +|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| +|Default User Rights|None| -  - -## Authenticated Users +## Authenticated Users Any user who accesses the system through a sign-in process has the Authenticated Users identity. This identity allows access to shared resources within the domain, such as files in a shared folder that should be accessible to all the workers in the organization. Membership is controlled by the operating system. - ---- - - - - - - - - - - - - - - - - - - - - - - - - -
    AttributeValue

    Well-Known SID/RID

    S-1-5-11

    Object Class

    Foreign Security Principal

    Default Location in Active Directory

    cn=System,cn=WellKnown Security Principals, cn=Configuration, dc=<forestRootDomain>

    Default User Rights

    [Access this computer from the network](/windows/device-security/security-policy-settings/access-this-computer-from-the-network): SeNetworkLogonRight

    -

    [Add workstations to domain](/windows/device-security/security-policy-settings/add-workstations-to-domain): SeMachineAccountPrivilege

    -

    [Bypass traverse checking](/windows/device-security/security-policy-settings/bypass-traverse-checking): SeChangeNotifyPrivilege

    +| **Attribute** | **Value** | +| :--: | :--: | +| Well-Known SID/RID | S-1-5-11 | +|Object Class| Foreign Security Principal| +|Default Location in Active Directory |cn=System,cn=WellKnown Security Principals, cn=Configuration, dc=\| +|Default User Rights| [Access this computer from the network](/windows/device-security/security-policy-settings/access-this-computer-from-the-network): SeNetworkLogonRight
    [Add workstations to domain](/windows/device-security/security-policy-settings/add-workstations-to-domain): SeMachineAccountPrivilege
    [Bypass traverse checking](/windows/device-security/security-policy-settings/bypass-traverse-checking): SeChangeNotifyPrivilege| -  - -## Batch +## Batch Any user or process that accesses the system as a batch job (or through the batch queue) has the Batch identity. This identity allows batch jobs to run scheduled tasks, such as a nightly cleanup job that deletes temporary files. Membership is controlled by the operating system. - ---- - - - - - - - - - - - - - - - - - - - - - - - - -
    AttributeValue

    Well-Known SID/RID

    S-1-5-3

    Object Class

    Foreign Security Principal

    Default Location in Active Directory

    cn=WellKnown Security Principals, cn=Configuration, dc=<forestRootDomain>

    Default User Rights

    None

    +| **Attribute** | **Value** | +| :--: | :--: | +| Well-Known SID/RID | S-1-5-3 | +|Object Class| Foreign Security Principal| +|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| +|Default User Rights| none| -  - -## Creator Group +## Creator Group The person who created the file or the directory is a member of this special identity group. Windows Server operating systems use this identity to automatically grant access permissions to the creator of a file or directory. A placeholder security identifier (SID) is created in an inheritable access control entry (ACE). When the ACE is inherited, the system replaces this SID with the SID for the primary group of the object’s current owner. The primary group is used only by the Portable Operating System Interface for UNIX (POSIX) subsystem. - ---- - - - - - - - - - - - - - - - - - - - - - - - - -
    AttributeValue

    Well-Known SID/RID

    S-1-3-1

    Object Class

    Foreign Security Principal

    Default Location in Active Directory

    cn=WellKnown Security Principals, cn=Configuration, dc=<forestRootDomain>

    Default User Rights

    None

    +| **Attribute** | **Value** | +| :--: | :--: | +| Well-Known SID/RID | S-1-3-1 | +|Object Class| Foreign Security Principal| +|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| +|Default User Rights| none| -  - -## Creator Owner +## Creator Owner The person who created the file or the directory is a member of this special identity group. Windows Server operating systems use this identity to automatically grant access permissions to the creator of a file or directory. A placeholder SID is created in an inheritable ACE. When the ACE is inherited, the system replaces this SID with the SID for the object’s current owner. - ---- - - - - - - - - - - - - - - - - - - - - - - - - -
    AttributeValue

    Well-Known SID/RID

    S-1-3-0

    Object Class

    Foreign Security Principal

    Default Location in Active Directory

    cn=WellKnown Security Principals, cn=Configuration, dc=<forestRootDomain>

    Default User Rights

    None

    +| **Attribute** | **Value** | +| :--: | :--: | +| Well-Known SID/RID | S-1-3-0 | +|Object Class| Foreign Security Principal| +|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| +|Default User Rights| none| -  - -## Dialup +## Dialup Any user who accesses the system through a dial-up connection has the Dial-Up identity. This identity distinguishes dial-up users from other types of authenticated users. - ---- - - - - - - - - - - - - - - - - - - - - - - - - -
    AttributeValue

    Well-Known SID/RID

    S-1-5-1

    Object Class

    Foreign Security Principal

    Default Location in Active Directory

    cn=WellKnown Security Principals, cn=Configuration, dc=<forestRootDomain>

    Default User Rights

    None

    +| **Attribute** | **Value** | +| :--: | :--: | +| Well-Known SID/RID | S-1-5-1 | +|Object Class| Foreign Security Principal| +|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| +|Default User Rights| none|  -  - -## Digest Authentication +## Digest Authentication - ---- - - - - - - - - - - - - - - - - - - - - - - - - -
    AttributeValue

    Well-Known SID/RID

    S-1-5-64-21

    Object Class

    Foreign Security Principal

    Default Location in Active Directory

    cn=WellKnown Security Principals, cn=Configuration, dc=<forestRootDomain>

    Default User Rights

    None

    +| **Attribute** | **Value** | +| :--: | :--: | +| Well-Known SID/RID | S-1-5-64-21 | +|Object Class| Foreign Security Principal| +|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| +|Default User Rights| none|  -  - -## Enterprise Domain Controllers +## Enterprise Domain Controllers This group includes all domain controllers in an Active Directory forest. Domain controllers with enterprise-wide roles and responsibilities have the Enterprise Domain Controllers identity. This identity allows them to perform certain tasks in the enterprise by using transitive trusts. Membership is controlled by the operating system. - ---- - - - - - - - - - - - - - - - - - - - - - - - - -
    AttributeValue

    Well-Known SID/RID

    S-1-5-9

    Object Class

    Foreign Security Principal

    Default Location in Active Directory

    cn=WellKnown Security Principals, cn=Configuration, dc=<forestRootDomain>

    Default User Rights Assignment

    [Access this computer from the network](/windows/device-security/security-policy-settings/access-this-computer-from-the-network): SeNetworkLogonRight

    -

    [Allow log on locally](/windows/device-security/security-policy-settings/allow-log-on-locally): SeInteractiveLogonRight

    +| **Attribute** | **Value** | +| :--: | :--: | +| Well-Known SID/RID | S-1-5-9 | +|Object Class| Foreign Security Principal| +|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| +|Default User Rights| [Access this computer from the network](/windows/device-security/security-policy-settings/access-this-computer-from-the-network): SeNetworkLogonRight
    [Allow log on locally](/windows/device-security/security-policy-settings/allow-log-on-locally): SeInteractiveLogonRight| -  - -## Everyone +## Everyone All interactive, network, dial-up, and authenticated users are members of the Everyone group. This special identity group gives wide access to system resources. Whenever a user logs on to the network, the user is automatically added to the Everyone group. @@ -400,615 +189,184 @@ On computers running Windows 2000 and earlier, the Everyone group included the Membership is controlled by the operating system. - ---- - - - - - - - - - - - - - - - - - - - - - - - - -
    AttributeValue

    Well-Known SID/RID

    S-1-1-0

    Object Class

    Foreign Security Principal

    Default Location in Active Directory

    cn=WellKnown Security Principals, cn=Configuration, dc=<forestRootDomain>

    Default User Rights

    [Access this computer from the network](/windows/device-security/security-policy-settings/access-this-computer-from-the-network): SeNetworkLogonRight

    -

    [Act as part of the operating system](/windows/device-security/security-policy-settings/act-as-part-of-the-operating-system): SeTcbPrivilege

    -

    [Bypass traverse checking](/windows/device-security/security-policy-settings/bypass-traverse-checking): SeChangeNotifyPrivilege

    +| **Attribute** | **Value** | +| :--: | :--: | +| Well-Known SID/RID | S-1-1-0 | +|Object Class| Foreign Security Principal| +|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| +|Default User Rights| [Access this computer from the network](/windows/device-security/security-policy-settings/access-this-computer-from-the-network): SeNetworkLogonRight
    [Act as part of the operating system](/windows/device-security/security-policy-settings/act-as-part-of-the-operating-system): SeTcbPrivilege
    [Bypass traverse checking](/windows/device-security/security-policy-settings/bypass-traverse-checking): SeChangeNotifyPrivilege| -  - -## Interactive +## Interactive Any user who is logged on to the local system has the Interactive identity. This identity allows only local users to access a resource. Whenever a user accesses a given resource on the computer to which they are currently logged on, the user is automatically added to the Interactive group. Membership is controlled by the operating system. - ---- - - - - - - - - - - - - - - - - - - - - - - - - -
    AttributeValue

    Well-Known SID/RID

    S-1-5-4

    Object Class

    Foreign Security Principal

    Default Location in Active Directory

    cn=WellKnown Security Principals, cn=Configuration, dc=<forestRootDomain>

    Default User Rights

    None

    +| **Attribute** | **Value** | +| :--: | :--: | +| Well-Known SID/RID | S-1-5-4 | +|Object Class| Foreign Security Principal| +|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| +|Default User Rights| None| -  - -## Local Service +## Local Service The Local Service account is similar to an Authenticated User account. The Local Service account has the same level of access to resources and objects as members of the Users group. This limited access helps safeguard your system if individual services or processes are compromised. Services that run as the Local Service account access network resources as a null session with anonymous credentials. The name of the account is NT AUTHORITY\\LocalService. This account does not have a password. - ---- - - - - - - - - - - - - - - - - - - - - - - - - -
    AttributeValue

    Well-Known SID/RID

    S-1-5-19

    Object Class

    Foreign Security Principal

    Default Location in Active Directory

    cn=WellKnown Security Principals, cn=Configuration, dc=<forestRootDomain>

    Default user rights

    [Adjust memory quotas for a process](/windows/device-security/security-policy-settings/adjust-memory-quotas-for-a-process): SeIncreaseQuotaPrivilege

    -

    [Bypass traverse checking](/windows/device-security/security-policy-settings/bypass-traverse-checking): SeChangeNotifyPrivilege

    -

    [Change the system time](/windows/device-security/security-policy-settings/change-the-system-time): SeSystemtimePrivilege

    -

    [Change the time zone](/windows/device-security/security-policy-settings/change-the-time-zone): SeTimeZonePrivilege

    -

    [Create global objects](/windows/device-security/security-policy-settings/create-global-objects): SeCreateGlobalPrivilege

    -

    [Generate security audits](/windows/device-security/security-policy-settings/generate-security-audits): SeAuditPrivilege

    -

    [Impersonate a client after authentication](/windows/device-security/security-policy-settings/impersonate-a-client-after-authentication): SeImpersonatePrivilege

    -

    [Replace a process level token](/windows/device-security/security-policy-settings/replace-a-process-level-token): SeAssignPrimaryTokenPrivilege

    +| **Attribute** | **Value** | +| :--: | :--: | +| Well-Known SID/RID | S-1-5-19 | +|Object Class| Foreign Security Principal| +|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| +|Default User Rights| [Adjust memory quotas for a process](/windows/device-security/security-policy-settings/adjust-memory-quotas-for-a-process): SeIncreaseQuotaPrivilege
    [Bypass traverse checking](/windows/device-security/security-policy-settings/bypass-traverse-checking): SeChangeNotifyPrivilege
    [Change the system time](/windows/device-security/security-policy-settings/change-the-system-time): SeSystemtimePrivilege
    [Change the time zone](/windows/device-security/security-policy-settings/change-the-time-zone): SeTimeZonePrivilege
    [Create global objects](/windows/device-security/security-policy-settings/create-global-objects): SeCreateGlobalPrivilege
    [Generate security audits](/windows/device-security/security-policy-settings/generate-security-audits): SeAuditPrivilege
    [Impersonate a client after authentication](/windows/device-security/security-policy-settings/impersonate-a-client-after-authentication): SeImpersonatePrivilege
    [Replace a process level token](/windows/device-security/security-policy-settings/replace-a-process-level-token): SeAssignPrimaryTokenPrivilege
    | -  - -## LocalSystem +## LocalSystem This is a service account that is used by the operating system. The LocalSystem account is a powerful account that has full access to the system and acts as the computer on the network. If a service logs on to the LocalSystem account on a domain controller, that service has access to the entire domain. Some services are configured by default to log on to the LocalSystem account. Do not change the default service setting. The name of the account is LocalSystem. This account does not have a password. - ---- - - - - - - - - - - - - - - - - - - - - - - - - -
    AttributeValue

    Well-Known SID/RID

    S-1-5-18

    Object Class

    Foreign Security Principal

    Default Location in Active Directory

    cn=WellKnown Security Principals, cn=Configuration, dc=<forestRootDomain>

    Default User Rights

    None

    -  - -## Network +| **Attribute** | **Value** | +| :--: | :--: | +| Well-Known SID/RID | S-1-5-18 | +|Object Class| Foreign Security Principal| +|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| +|Default User Rights|None| +## Network This group implicitly includes all users who are logged on through a network connection. Any user who accesses the system through a network has the Network identity. This identity allows only remote users to access a resource. Whenever a user accesses a given resource over the network, the user is automatically added to the Network group. Membership is controlled by the operating system. - ---- - - - - - - - - - - - - - - - - - - - - - - - - -
    AttributeValue

    Well-Known SID/RID

    S-1-5-2

    Object Class

    Foreign Security Principal

    Default Location in Active Directory

    cn=WellKnown Security Principals, cn=Configuration, dc=<forestRootDomain>

    Default User Rights

    None

    +| **Attribute** | **Value** | +| :--: | :--: | +| Well-Known SID/RID | S-1-5-2 | +|Object Class| Foreign Security Principal| +|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| +|Default User Rights|None| -  - -## Network Service +## Network Service The Network Service account is similar to an Authenticated User account. The Network Service account has the same level of access to resources and objects as members of the Users group. This limited access helps safeguard your system if individual services or processes are compromised. Services that run as the Network Service account access network resources by using the credentials of the computer account. The name of the account is NT AUTHORITY\\NetworkService. This account does not have a password. - ---- - - - - - - - - - - - - - - - - - - - - - - - - -
    AttributeValue

    Well-Known SID/RID

    S-1-5-20

    Object Class

    Foreign Security Principal

    Default Location in Active Directory

    cn=WellKnown Security Principals, cn=Configuration, dc=<forestRootDomain>

    Default User Rights

    [Adjust memory quotas for a process](/windows/device-security/security-policy-settings/adjust-memory-quotas-for-a-process): SeIncreaseQuotaPrivilege

    -

    [Bypass traverse checking](/windows/device-security/security-policy-settings/bypass-traverse-checking): SeChangeNotifyPrivilege

    -

    [Create global objects](/windows/device-security/security-policy-settings/create-global-objects): SeCreateGlobalPrivilege

    -

    [Generate security audits](/windows/device-security/security-policy-settings/generate-security-audits): SeAuditPrivilege

    -

    [Impersonate a client after authentication](/windows/device-security/security-policy-settings/impersonate-a-client-after-authentication): SeImpersonatePrivilege

    -

    [Restore files and directories](/windows/device-security/security-policy-settings/restore-files-and-directories): SeRestorePrivilege

    -

    [Replace a process level token](/windows/device-security/security-policy-settings/replace-a-process-level-token): SeAssignPrimaryTokenPrivilege

    +| **Attribute** | **Value** | +| :--: | :--: | +| Well-Known SID/RID | S-1-5-20 | +|Object Class| Foreign Security Principal| +|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| +|Default User Rights| [Adjust memory quotas for a process](/windows/device-security/security-policy-settings/adjust-memory-quotas-for-a-process): SeIncreaseQuotaPrivilege
    [Bypass traverse checking](/windows/device-security/security-policy-settings/bypass-traverse-checking): SeChangeNotifyPrivilege
    [Create global objects](/windows/device-security/security-policy-settings/create-global-objects): SeCreateGlobalPrivilege
    [Generate security audits](/windows/device-security/security-policy-settings/generate-security-audits): SeAuditPrivilege
    [Impersonate a client after authentication](/windows/device-security/security-policy-settings/impersonate-a-client-after-authentication): SeImpersonatePrivilege
    [Restore files and directories](/windows/device-security/security-policy-settings/restore-files-and-directories): SeRestorePrivilege
    [Replace a process level token](/windows/device-security/security-policy-settings/replace-a-process-level-token): SeAssignPrimaryTokenPrivilege
    | -  - -## NTLM Authentication +## NTLM Authentication - ---- - - - - - - - - - - - - - - - - - - - - - - - - -
    AttributeValue

    Well-Known SID/RID

    S-1-5-64-10

    Object Class

    Foreign Security Principal

    Default Location in Active Directory

    cn=WellKnown Security Principals, cn=Configuration, dc=<forestRootDomain>

    Default User Rights

    None

    +| **Attribute** | **Value** | +| :--: | :--: | +| Well-Known SID/RID | S-1-5-64-10 | +|Object Class| Foreign Security Principal| +|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| +|Default User Rights| None| -  - -## Other Organization +## Other Organization This group implicitly includes all users who are logged on to the system through a dial-up connection. Membership is controlled by the operating system. - ---- - - - - - - - - - - - - - - - - - - - - - - - - -
    AttributeValue

    Well-Known SID/RID

    S-1-5-1000

    Object Class

    Foreign Security Principal

    Default Location in Active Directory

    cn=WellKnown Security Principals, cn=Configuration, dc=<forestRootDomain>

    Default User Rights

    None

    +| **Attribute** | **Value** | +| :--: | :--: | +| Well-Known SID/RID | S-1-5-1000 | +|Object Class| Foreign Security Principal| +|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| +|Default User Rights| None | -  - -## Principal Self +## Principal Self This identify is a placeholder in an ACE on a user, group, or computer object in Active Directory. When you grant permissions to Principal Self, you grant them to the security principal that is represented by the object. During an access check, the operating system replaces the SID for Principal Self with the SID for the security principal that is represented by the object. - ---- - - - - - - - - - - - - - - - - - - - - - - - - -
    AttributeValue

    Well-Known SID/RID

    S-1-5-10

    Object Class

    Foreign Security Principal

    Default Location in Active Directory

    cn=WellKnown Security Principals, cn=Configuration, dc=<forestRootDomain>

    Default User Rights

    None

    +| **Attribute** | **Value** | +| :--: | :--: | +| Well-Known SID/RID | S-1-5-10 | +|Object Class| Foreign Security Principal| +|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| +|Default User Rights| None | -  - -## Remote Interactive Logon +## Remote Interactive Logon This identity represents all users who are currently logged on to a computer by using a Remote Desktop connection. This group is a subset of the Interactive group. Access tokens that contain the Remote Interactive Logon SID also contain the Interactive SID. - ---- - - - - - - - - - - - - - - - - - - - - - - - - -
    AttributeValue

    Well-Known SID/RID

    S-1-5-14

    Object Class

    Foreign Security Principal

    Default Location in Active Directory

    cn=WellKnown Security Principals, cn=Configuration, dc=<forestRootDomain>

    Default User Rights

    None

    +| **Attribute** | **Value** | +| :--: | :--: | +| Well-Known SID/RID | S-1-5-14| +|Object Class| Foreign Security Principal| +|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| +|Default User Rights| None | -  - -## Restricted +## Restricted Users and computers with restricted capabilities have the Restricted identity. This identity group is used by a process that is running in a restricted security context, such as running an application with the RunAs service. When code runs at the Restricted security level, the Restricted SID is added to the user’s access token. - ---- - - - - - - - - - - - - - - - - - - - - - - - - -
    AttributeValue

    Well-Known SID/RID

    S-1-5-12

    Object Class

    Foreign Security Principal

    Default Location in Active Directory

    cn=WellKnown Security Principals, cn=Configuration, dc=<forestRootDomain>

    Default User Rights

    None

    +| **Attribute** | **Value** | +| :--: | :--: | +| Well-Known SID/RID | S-1-5-12 | +|Object Class| Foreign Security Principal| +|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| +|Default User Rights| None | -  - -## SChannel Authentication +## SChannel Authentication - ---- - - - - - - - - - - - - - - - - - - - - - - - - -
    AttributeValue

    Well-Known SID/RID

    S-1-5-64-14

    Object Class

    Foreign Security Principal

    Default Location in Active Directory

    cn=WellKnown Security Principals, cn=Configuration, dc=<forestRootDomain>

    Default User Rights

    None

    +| **Attribute** | **Value** | +| :--: | :--: | +| Well-Known SID/RID | S-1-5-64-14 | +|Object Class| Foreign Security Principal| +|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| +|Default User Rights| None | -  - -## Service +## Service Any service that accesses the system has the Service identity. This identity group includes all security principals that are signed in as a service. This identity grants access to processes that are being run by Windows Server services. Membership is controlled by the operating system. - ---- - - - - - - - - - - - - - - - - - - - - - - - - -
    AttributeValue

    Well-Known SID/RID

    S-1-5-6

    Object Class

    Foreign Security Principal

    Default Location in Active Directory

    cn=WellKnown Security Principals, cn=Configuration, dc=<forestRootDomain>

    Default User Rights

    [Create global objects](/windows/device-security/security-policy-settings/create-global-objects): SeCreateGlobalPrivilege

    -

    [Impersonate a client after authentication](/windows/device-security/security-policy-settings/impersonate-a-client-after-authentication): SeImpersonatePrivilege

    -  +| **Attribute** | **Value** | +| :--: | :--: | +| Well-Known SID/RID | S-1-5-6 | +|Object Class| Foreign Security Principal| +|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| +|Default User Rights| [Create global objects](/windows/device-security/security-policy-settings/create-global-objects): SeCreateGlobalPrivilege
    [Impersonate a client after authentication](/windows/device-security/security-policy-settings/impersonate-a-client-after-authentication): SeImpersonatePrivilege
    | -## Terminal Server User +## Terminal Server User Any user accessing the system through Terminal Services has the Terminal Server User identity. This identity allows users to access Terminal Server applications and to perform other necessary tasks with Terminal Server services. Membership is controlled by the operating system. - ---- - - - - - - - - - - - - - - - - - - - - - - - - -
    AttributeValue

    Well-Known SID/RID

    S-1-5-13

    Object Class

    Foreign Security Principal

    Default Location in Active Directory

    cn=WellKnown Security Principals, cn=Configuration, dc=<forestRootDomain>

    Default User Rights

    None

    +| **Attribute** | **Value** | +| :--: | :--: | +| Well-Known SID/RID | S-1-5-13 | +|Object Class| Foreign Security Principal| +|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| +|Default User Rights| None | -  - -## This Organization +## This Organization - ---- - - - - - - - - - - - - - - - - - - - - - - - - -
    AttributeValue

    Well-Known SID/RID

    S-1-5-15

    Object Class

    Foreign Security Principal

    Default Location in Active Directory

    cn=WellKnown Security Principals, cn=Configuration, dc=<forestRootDomain>

    Default User Rights

    None

    +| **Attribute** | **Value** | +| :--: | :--: | +| Well-Known SID/RID | S-1-5-15 | +|Object Class| Foreign Security Principal| +|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| +|Default User Rights| None | -  +## Window Manager\\Window Manager Group -## Window Manager\\Window Manager Group - - - ---- - - - - - - - - - - - - - - - - - - - - - - - - -
    AttributeValue

    Well-Known SID/RID

    Object Class

    Default Location in Active Directory

    cn=WellKnown Security Principals, cn=Configuration, dc=<forestRootDomain>

    Default User Rights

    [Bypass traverse checking](/windows/device-security/security-policy-settings/bypass-traverse-checking): SeChangeNotifyPrivilege

    -

    [Increase a process working set](/windows/device-security/security-policy-settings/increase-a-process-working-set): SeIncreaseWorkingSetPrivilege

    +| **Attribute** | **Value** | +| :--: | :--: | +| Well-Known SID/RID | | +|Object Class| | +|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| +|Default User Rights| [Bypass traverse checking](/windows/device-security/security-policy-settings/bypass-traverse-checking): SeChangeNotifyPrivilege
    [Increase a process working set](/windows/device-security/security-policy-settings/increase-a-process-working-set): SeIncreaseWorkingSetPrivilege
    | ## See also @@ -1016,4 +374,4 @@ Any user accessing the system through Terminal Services has the Terminal Server - [Security Principals](security-principals.md) -- [Access Control Overview](access-control.md) \ No newline at end of file +- [Access Control Overview](access-control.md) diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md index 58043d111b..ea8762d16e 100644 --- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md +++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md @@ -64,7 +64,7 @@ By default, the Active Directory Certificate Authority provides and publishes th Sign-in to a certificate authority or management workstations with _Domain Admin_ equivalent credentials. 1. Open the **Certificate Authority** management console. 2. Right-click **Certificate Templates** and click **Manage**. -3. In the **Certificate Template Console**, right-click the **Kerberos Authentication** template in the details pane and click **Duplicate Template**. +3. In the **Certificate Templates Console**, right-click the **Kerberos Authentication** template in the details pane and click **Duplicate Template**. 4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2008 R2** from the **Certification Authority** list. Select **Windows 7.Server 2008 R2** from the **Certification Recipient** list. 5. On the **General** tab, type **Domain Controller Authentication (Kerberos)** in Template display name. Adjust the validity and renewal period to meet your enterprise’s needs. **Note**If you use different template names, you’ll need to remember and substitute these names in different portions of the lab. @@ -81,7 +81,7 @@ The Kerberos Authentication certificate template is the most current certificate Sign-in to a certificate authority or management workstations with _Enterprise Admin_ equivalent credentials. 1. Open the **Certificate Authority** management console. 2. Right-click **Certificate Templates** and click **Manage**. -3. In the **Certificate Template Console**, right-click the **Domain Controller Authentication (Kerberos)** (or the name of the certificate template you created in the previous section) template in the details pane and click **Properties**. +3. In the **Certificate Templates Console**, right-click the **Domain Controller Authentication (Kerberos)** (or the name of the certificate template you created in the previous section) template in the details pane and click **Properties**. 4. Click the **Superseded Templates** tab. Click **Add**. 5. From the **Add Superseded Template** dialog, select the **Domain Controller** certificate template and click **OK**. Click **Add**. 6. From the **Add Superseded Template** dialog, select the **Domain Controller Authentication** certificate template and click **OK**. @@ -98,7 +98,7 @@ Windows 10 clients use the https protocol when communicating with Active Directo Sign-in to a certificate authority or management workstations with _Domain Admin_ equivalent credentials. 1. Open the **Certificate Authority** management console. 2. Right-click **Certificate Templates** and click **Manage**. -3. In the **Certificate Template Console**, right-click the **Web Server** template in the details pane and click **Duplicate Template**. +3. In the **Certificate Templates Console**, right-click the **Web Server** template in the details pane and click **Duplicate Template**. 4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Recipient** list. 5. On the **General** tab, type **Internal Web Server** in **Template display name**. Adjust the validity and renewal period to meet your enterprise’s needs. **Note:** If you use different template names, you’ll need to remember and substitute these names in different portions of the lab. @@ -168,11 +168,11 @@ You want to confirm your domain controllers enroll the correct certificates and #### Use the Event Logs -Windows Server 2012 and later include Certificate Lifecycle events to determine the lifecycles of certificates for both users and computers. Using the Event Viewer, navigate to the **CertificateServices-Lifecycles-System** event log under **Application and Services/Microsoft/Windows**. +Windows Server 2012 and later include Certificate Lifecycle events to determine the lifecycles of certificates for both users and computers. Using the Event Viewer, navigate to the **CertificateServicesClient-Lifecycle-System** event log under **Application and Services/Microsoft/Windows**. Look for an event indicating a new certificate enrollment (autoenrollment). The details of the event include the certificate template on which the certificate was issued. The name of the certificate template used to issue the certificate should match the certificate template name included in the event. The certificate thumbprint and EKUs for the certificate are also included in the event. The EKU needed for proper Windows Hello for Business authentication is Kerberos Authentication, in addition to other EKUs provide by the certificate template. -Certificates superseded by your new domain controller certificate generate an archive event in the CertificateServices-Lifecycles-System event. The archive event contains the certificate template name and thumbprint of the certificate that was superseded by the new certificate. +Certificates superseded by your new domain controller certificate generate an archive event in the CertificateServicesClient-Lifecycle-System event. The archive event contains the certificate template name and thumbprint of the certificate that was superseded by the new certificate. #### Certificate Manager diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md index 99026497a4..183203f5d6 100644 --- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md +++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md @@ -34,8 +34,8 @@ ms.date: 10/08/2018 - [Key Trust](#key-trust) - [Managed Environment](#managed-environment) - [On-premises Deployment](#on-premises-deployment) -- [Pass-through Authentication](#passthrough-authentication) -- [Password Hash Synchronization](#password-hash-synchronization) +- [Pass-through Authentication](#pass-through-authentication) +- [Password Hash Synchronization](#password-hash-sync) - [Primary Refresh Token](#primary-refresh-token) - [Storage Root Key](#storage-root-key) - [Trust Type](#trust-type) @@ -212,9 +212,9 @@ The key trust model uses the user's Windows Hello for Business identity to authe Managed environments are for non-federated environments where Azure Active Directory manages the authentication using technologies such as Password Hash Synchronization and Pass-through Authentication rather than a federation service such as Active Directory Federation Services. ### Related topics -[Federated Environment](#federated-environment), [Pass-through authentication](#pass-through-authentication), [Password Hash Synchronization](#password-hash-synchronization) +[Federated Environment](#federated-environment), [Pass-through authentication](#pass-through-authentication), [Password Hash Synchronization](#password-hash-sync) -[Return to Top](#Technology-and-Terms) +[Return to Top](#technology-and-terms) ## On-premises Deployment The Windows Hello for Business on-premises deployment is for organizations that exclusively have on-premises resources that are accessed using Active Directory identities. On-premises deployments support domain joined devices. The on-premises deployment model supports two authentication trust types, key trust and certificate trust. @@ -229,13 +229,13 @@ The Windows Hello for Business on-premises deployment is for organizations that Provides a simple password validation for Azure AD authentication services using a software agent running on one or more on-premises servers to validate the users directly with your on-premises Active Directory. With pass-through authentication (PTA), you synchronize on-premises Active Directory user account objects with Office 365 and manage your users on-premises. Allows your users to sign in to both on-premises and Office 365 resources and applications using their on-premises account and password. This configuration validates users' passwords directly against your on-premises Active Directory without sending password hashes to Office 365. Companies with a security requirement to immediately enforce on-premises user account states, password policies, and logon hours would use this authentication method. With seamless single sign-on, users are automatically signed in to Azure AD when they are on their corporate devices and connected to your corporate network. ### Related topics -[Federated Environment](#federated-environment), [Managed Environment](#managed-environment), [Password Hash Synchronization](#password-hash-synchronization) +[Federated Environment](#federated-environment), [Managed Environment](#managed-environment), [Password Hash Synchronization](#password-hash-sync) ### More information - [Choosing the right authentication method for your Azure Active Directory hybrid identity solution](https://docs.microsoft.com/azure/security/azure-ad-choose-authn) -[Return to Top](#hello-how-it-works-technology.md) +[Return to Top](hello-how-it-works-technology.md) ## Password Hash Sync The simplest way to enable authentication for on-premises directory objects in Azure AD. With password hash sync (PHS), you synchronize your on-premises Active Directory user account objects with Office 365 and manage your users on-premises. Hashes of user passwords are synchronized from your on-premises Active Directory to Azure AD so that the users have the same password on-premises and in the cloud. When passwords are changed or reset on-premises, the new password hashes are synchronized to Azure AD so that your users can always use the same password for cloud resources and on-premises resources. The passwords are never sent to Azure AD or stored in Azure AD in clear text. Some premium features of Azure AD, such as Identity Protection, require PHS regardless of which authentication method is selected. With seamless single sign-on, users are automatically signed in to Azure AD when they are on their corporate devices and connected to your corporate network. @@ -253,7 +253,7 @@ The PRT is initially obtained during Windows Logon (user sign-in/unlock) in a si The PRT is needed for SSO. Without it, the user will be prompted for credentials when accessing applications every time. Please also note that the PRT contains information about the device. This means that if you have any [device-based conditional access](https://docs.microsoft.com/azure/active-directory/active-directory-conditional-access-policy-connected-applications) policy set on an application, without the PRT, access will be denied. -[Return to Top](#Technology-and-Terms) +[Return to Top](#technology-and-terms) ## Storage Root Key The storage root key (SRK) is also an asymmetric key pair (RSA with a minimum of 2048 bits length). The SRK has a major role and is used to protect TPM keys, so that these keys cannot be used without the TPM. The SRK key is created when the ownership of the TPM is taken. @@ -284,9 +284,9 @@ A TPM implements controls that meet the specification described by the Trusted C - The first TPM specification, version 1.2, was published in February 2005 by the TCG and standardized under ISO / IEC 11889 standard. - The latest TPM specification, referred to as TPM 2.0, was released in April 2014 and has been approved by the ISO/IEC Joint Technical Committee (JTC) as ISO/IEC 11889:2015. -Windows�10 uses the TPM for cryptographic calculations as part of health attestation and to protect the keys for BitLocker, Windows Hello, virtual smart cards, and other public key certificates. For more information, see [TPM requirements in Windows 10](https://go.microsoft.com/fwlink/p/?LinkId=733948). +Windows 10 uses the TPM for cryptographic calculations as part of health attestation and to protect the keys for BitLocker, Windows Hello, virtual smart cards, and other public key certificates. For more information, see [TPM requirements in Windows 10](https://go.microsoft.com/fwlink/p/?LinkId=733948). -Windows�10 recognizes versions 1.2 and 2.0 TPM specifications produced by the TCG. For the most recent and modern security features, Windows�10 supports only TPM 2.0. +Windows 10 recognizes versions 1.2 and 2.0 TPM specifications produced by the TCG. For the most recent and modern security features, Windows 10 supports only TPM 2.0. TPM 2.0 provides a major revision to the capabilities over TPM 1.2: @@ -316,16 +316,3 @@ In a simplified manner, the TPM is a passive component with limited resources. I [Return to Top](hello-how-it-works-technology.md) - - - - - - - - - - - - - diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md index dd447eb2b1..2534ee8e04 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md @@ -58,7 +58,18 @@ The Windows Hello for Business deployment depends on an enterprise public key in Key trust deployments do not need client issued certificates for on-premises authentication. Active Directory user accounts are automatically configured for public key mapping by Azure AD Connect synchronizing the public key of the registered Windows Hello for Business credential to an attribute on the user's Active Directory object. -The minimum required enterprise certificate authority that can be used with Windows Hello for Business is Windows Server 2012. +The minimum required enterprise certificate authority that can be used with Windows Hello for Business is Windows Server 2012, but you can also use a third-party enterprise certification authority. The detailed requirements for the Domain Controller certificate are shown below. + +* The certificate must have a Certificate Revocation List (CRL) distribution point extension that points to a valid CRL. +* Optionally, the certificate Subject section should contain the directory path of the server object (the distinguished name). +* The certificate Key Usage section must contain Digital Signature and Key Encipherment. +* Optionally, the certificate Basic Constraints section should contain: [Subject Type=End Entity, Path Length Constraint=None]. +* The certificate Enhanced Key Usage section must contain Client Authentication (1.3.6.1.5.5.7.3.2) and Server Authentication (1.3.6.1.5.5.7.3.1). +* The certificate Subject Alternative Name section must contain the Domain Name System (DNS) name. +* The certificate template must have an extension that has the BMP data value "DomainController". +* The domain controller certificate must be installed in the local computer's certificate store. + + > [!IMPORTANT] > For Azure AD joined device to authenticate to and use on-premises resources, ensure you: @@ -85,7 +96,7 @@ Organizations using older directory synchronization technology, such as DirSync
    ## Federation with Azure ## -You can deploy Windows Hello for Business key trust in non-federated and federated environments. For non-federated environments, key trust deployments work in environments that have deployed [Password Synchronization with Azure AD Connect](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnectsync-implement-password-synchronization) and [Azure Active Directory Pass-through-Authentication](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnect-pass-through-authentication). For federated environments, you can deploy Windows Hello for Business key trust using Active Directory Federation Services (AD FS) beginning with Windows Server 2012 R2. +You can deploy Windows Hello for Business key trust in non-federated and federated environments. For non-federated environments, key trust deployments work in environments that have deployed [Password Synchronization with Azure AD Connect](https://docs.microsoft.com/en-us/azure/active-directory/hybrid/whatis-phs) and [Azure Active Directory Pass-through-Authentication](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnect-pass-through-authentication). For federated environments, you can deploy Windows Hello for Business key trust using Active Directory Federation Services (AD FS) beginning with Windows Server 2012 R2. ### Section Review ### > [!div class="checklist"] diff --git a/windows/security/identity-protection/hello-for-business/hello-overview.md b/windows/security/identity-protection/hello-for-business/hello-overview.md index 58614660a4..bca87f02c5 100644 --- a/windows/security/identity-protection/hello-for-business/hello-overview.md +++ b/windows/security/identity-protection/hello-for-business/hello-overview.md @@ -97,7 +97,7 @@ Windows Hello for Business can use either keys (hardware or software) or certifi ## Learn more -[Implementing Windows Hello for Business at Microsoft](https://www.microsoft.com/itshowcase/Article/Content/830/Implementing-Windows-Hello-for-Business-at-Microsoft) +[Implementing Windows Hello for Business at Microsoft](https://www.microsoft.com/en-us/itshowcase/implementing-windows-hello-for-business-at-microsoft) [Introduction to Windows Hello](https://go.microsoft.com/fwlink/p/?LinkId=786649), video presentation on Microsoft Virtual Academy diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index cb2349d9bd..d2f6bc7823 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -117,7 +117,7 @@ You will want to balance testing in a lab with providing results to management q ## The Process -The journey to password-less is to take each work persona through each password-less step. In the begging, we encourage working with one persona at a time to ensure team members and stakeholders are familiar with the process. Once comfortable with the process, you can cover as many work personas in parallel as resources allow. The process looks something like +The journey to password-less is to take each work persona through each password-less step. In the beginning, we encourage working with one persona at a time to ensure team members and stakeholders are familiar with the process. Once comfortable with the process, you can cover as many work personas in parallel as resources allow. The process looks something like 1. Password-less replacement offering (Step 1) 1. Identify test users that represent the targeted work persona. diff --git a/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md b/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md index 137f60c277..6648747efc 100644 --- a/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md +++ b/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md @@ -163,16 +163,41 @@ Use Windows Event Forwarding to collect and aggregate your WIP audit events. You 2. In the console tree under **Application and Services Logs\Microsoft\Windows**, click **EDP-Audit-Regular** and **EDP-Audit-TCB**. +## Collect WIP audit logs using Azure Monitor +You can collect audit logs using Azure Monitor. See [Windows event log data sources in Azure Monitor.](https://docs.microsoft.com/en-us/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs) +**To view the WIP events in Azure Monitor** +1. Use an existing or create a new Log Analytics workspace. +2. In **Log Analytics** > **Advanced Settings**, select **Data**. In Windows Event Logs, add logs to receive: + ``` + Microsoft-Windows-EDP-Application-Learning/Admin + Microsoft-Windows-EDP-Audit-TCB/Admin + ``` + >[!NOTE] + >If using Windows Events Logs, the event log names can be found under Properties of the event in the Events folder (Application and Services Logs\Microsoft\Windows, click EDP-Audit-Regular and EDP-Audit-TCB). +3. Download Microsoft [Monitoring Agent](https://docs.microsoft.com/en-us/azure/azure-monitor/platform/agent-windows#install-the-agent-using-dsc-in-azure-automation). +4. To get MSI for Intune installation as stated in the Azure Monitor article, extract: MMASetup-.exe /c /t: +Install Microsoft Monitoring Agent to WIP devices using Workspace ID and Primary key. More information on Workspace ID and Primary key can be found in **Log Analytics** > **Advanced Settings**. +5. To deploy MSI via Intune, in installation parameters add: /q /norestart NOAPM=1 ADD_OPINSIGHTS_WORKSPACE=1 OPINSIGHTS_WORKSPACE_AZURE_CLOUD_TYPE=0 OPINSIGHTS_WORKSPACE_ID= OPINSIGHTS_WORKSPACE_KEY= AcceptEndUserLicenseAgreement=1 +>[!NOTE] +>Replace & received from step 5. In installation parameters, don't place & in quotes ("" or ''). +6. After the agent is deployed, data will be received within approximately 10 minutes. +7. To search for logs, go to **Log Analytics workspace** > **Logs**, and type **Event** in search. +***Example*** +``` +Event | where EventLog == "Microsoft-Windows-EDP-Audit-TCB/Admin" +``` - - +## Additional resources +- [How to deploy app via Intune](https://docs.microsoft.com/intune/apps-add) +- [How to create Log workspace](https://docs.microsoft.com/azure/azure-monitor/learn/quick-create-workspace) +- [How to use Microsoft Monitoring Agents for Windows](https://docs.microsoft.com/azure/azure-monitor/platform/agents-overview) diff --git a/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md b/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md index c40587d323..e397719da4 100644 --- a/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md +++ b/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md @@ -62,7 +62,7 @@ Detailed Tracking security policy settings and audit events can be used to monit - [Audit Process Creation](audit-process-creation.md) - [Audit Process Termination](audit-process-termination.md) - [Audit RPC Events](audit-rpc-events.md) - +- [Audit Credential Validation](https://docs.microsoft.com/windows/security/threat-protection/auditing/audit-credential-validation) > **Note:** For more information, see [Security Monitoring](https://blogs.technet.microsoft.com/nathangau/2018/01/25/security-monitoring-a-possible-new-way-to-detect-privilege-escalation/) ## DS Access diff --git a/windows/security/threat-protection/auditing/advanced-security-auditing-faq.md b/windows/security/threat-protection/auditing/advanced-security-auditing-faq.md index 6935b85eb1..e2a45c1988 100644 --- a/windows/security/threat-protection/auditing/advanced-security-auditing-faq.md +++ b/windows/security/threat-protection/auditing/advanced-security-auditing-faq.md @@ -83,7 +83,7 @@ The rules that govern how Group Policy settings are applied propagate to the sub | - | - | - | -| | Detailed File Share Auditing | Success | Failure | Success | | Process Creation Auditing | Disabled | Success | Disabled | -| Logon Auditing | Success | Failure | Failure | +| Logon Auditing | Failure | Success | Failure | ## What is the difference between an object DACL and an object SACL? diff --git a/windows/security/threat-protection/intelligence/cybersecurity-industry-partners.md b/windows/security/threat-protection/intelligence/cybersecurity-industry-partners.md index 37903b6e79..e86455f52b 100644 --- a/windows/security/threat-protection/intelligence/cybersecurity-industry-partners.md +++ b/windows/security/threat-protection/intelligence/cybersecurity-industry-partners.md @@ -29,7 +29,7 @@ Go to the [VIA program page](virus-information-alliance-criteria.md) for more in MVI is open to organizations who build and own a Real Time Protection (RTP) antimalware product of their own design, or one developed using a third-party antivirus SDK. -Members get access to Microsoft client APIs for the Windows Defender Security Center, IOAV, AMSI, and Cloud Files, along with health data and other telemetry to help their customers stay protected. Antimalware products are submitted to Microsoft for performance testing on a regular basis. +Members get access to Microsoft client APIs for the Microsoft Defender Security Center, IOAV, AMSI, and Cloud Files, along with health data and other telemetry to help their customers stay protected. Antimalware products are submitted to Microsoft for performance testing on a regular basis. Go to the [MVI program page](virus-initiative-criteria.md) for more information. diff --git a/windows/security/threat-protection/intelligence/developer-info.md b/windows/security/threat-protection/intelligence/developer-info.md index 64dc28a46a..d3c5062599 100644 --- a/windows/security/threat-protection/intelligence/developer-info.md +++ b/windows/security/threat-protection/intelligence/developer-info.md @@ -25,6 +25,4 @@ Learn about the common questions we receive from software developers and get oth Topic | Description :---|:--- [Software developer FAQ](developer-faq.md) | Provides answers to common questions we receive from software developers. -[Developer resources](developer-resources.md) | Provides information about how to submit files, detection criteria, and how to check your software against the latest Security intelligence and cloud protection from Microsoft. - - +[Developer resources](developer-resources.md) | Provides information about how to submit files, detection criteria, and how to check your software against the latest security intelligence and cloud protection from Microsoft. \ No newline at end of file diff --git a/windows/security/threat-protection/intelligence/fileless-threats.md b/windows/security/threat-protection/intelligence/fileless-threats.md index f0d0633fa0..ba54c66db5 100644 --- a/windows/security/threat-protection/intelligence/fileless-threats.md +++ b/windows/security/threat-protection/intelligence/fileless-threats.md @@ -1,7 +1,7 @@ --- title: Fileless threats description: Learn about fileless threats, its categories, and how it runs -keywords: fileless, amsi, behavior monitoring, memory scanning, boot sector protection, security, malware, Windows Defender ATP, antivirus, AV +keywords: fileless, amsi, behavior monitoring, memory scanning, boot sector protection, security, malware, Windows Defender ATP, antivirus, AV, Microsoft Defender ATP ms.prod: w10 ms.mktglfcycl: secure ms.sitesec: library @@ -17,49 +17,49 @@ search.appverid: met150 # Fileless threats -What exactly is a fileless threat? The term "fileless" suggests that a threat that does not come in a file, such as a backdoor that lives only in the memory of a machine. However, there's no generally accepted definition. The terms is used broadly; it's also used to describe malware families that do rely on files in order to operate. +What exactly is a fileless threat? The term "fileless" suggests that a threat that does not come in a file, such as a backdoor that lives only in the memory of a machine. However, there's no generally accepted definition. The term is used broadly; it's also used to describe malware families that do rely on files to operate. -Given that attacks involve [several stages](https://attack.mitre.org/wiki/ATT&CK_Matrix) for functionalities like execution, persistence, information theft, lateral movement, communication with command-and-control, etc., some parts of the attack chain may be fileless, while others may involve the filesystem in some form or another. +Given that attacks involve [several stages](https://attack.mitre.org/wiki/ATT&CK_Matrix) for functionalities like execution, persistence, or information theft, some parts of the attack chain may be fileless, while others may involve the filesystem in some form or another. -To shed light on this loaded term, we grouped fileless threats into different categories. +For clarity, fileless threats are grouped into different categories. ![Comprehensive diagram of fileless malware](images/fileless-malware.png)
    *Figure 1. Comprehensive diagram of fileless malware* -We can classify fileless threats by their entry point, which indicates how fileless malware can arrive on a machine: via an exploit; through compromised hardware; or via regular execution of applications and scripts. +Fileless threats can be classified by their entry point, which indicates how fileless malware can arrive on a machine. They can arrive via an exploit, through compromised hardware, or via regular execution of applications and scripts. -Next, we can list the form of entry point: for example, exploits can be based on files or network data; PCI peripherals are a type of hardware vector; and scripts and executables are sub-categories of the execution vector. +Next, list the form of entry point. For example, exploits can be based on files or network data, PCI peripherals are a type of hardware vector, and scripts and executables are sub-categories of the execution vector. -Finally, we can classify the host of the infection: for example, a Flash application that may contain an exploit; a simple executable; a malicious firmware from a hardware device; or an infected MBR, which could bootstrap the execution of a malware before the operating system even loads. +Finally, classify the host of the infection. For example, a Flash application that may contain an exploit, a simple executable, malicious firmware from a hardware device, or an infected MBR, which could bootstrap the execution of a malware before the operating system even loads. -This helps us divide and categorize the various kinds of fileless threats. Clearly, the categories are not all the same: some are more dangerous but also more difficult to implement, while others are more commonly used despite (or precisely because of) not being very advanced. +This helps you divide and categorize the various kinds of fileless threats. Clearly, the categories are not all the same: some are more dangerous but also more difficult to implement, while others are more commonly used despite (or precisely because of) not being very advanced. -From this categorization, we can glean three big types of fileless threats based on how much fingerprint they may leave on infected machines. +From this categorization, you can glean three main types of fileless threats based on how much fingerprint they may leave on infected machines. ## Type I: No file activity performed A completely fileless malware can be considered one that never requires writing a file on the disk. How would such malware infect a machine in the first place? An example scenario could be a target machine receiving malicious network packets that exploit the EternalBlue vulnerability, leading to the installation of the DoublePulsar backdoor, which ends up residing only in the kernel memory. In this case, there is no file or any data written on a file. -Another scenario could involve compromised devices, where malicious code could be hiding in device firmware (such as a BIOS), a USB peripheral (like the BadUSB attack), or even in the firmware of a network card. All these examples do not require a file on the disk in order to run and can theoretically live only in memory, surviving even reboots, disk reformats, and OS reinstalls. +Another scenario could involve compromised devices, where malicious code could be hiding in device firmware (such as a BIOS), a USB peripheral (like the BadUSB attack), or even in the firmware of a network card. All these examples do not require a file on the disk to run and can theoretically live only in memory, surviving even reboots, disk reformats, and OS reinstalls. Infections of this type can be extra difficult to detect and remediate. Antivirus products usually don’t have the capability to access firmware for inspection; even if they did, it would be extremely challenging to detect and remediate threats at this level. Because this type of fileless malware requires high levels of sophistication and often depend on particular hardware or software configuration, it’s not an attack vector that can be exploited easily and reliably. For this reason, while extremely dangerous, threats of this type tend to be very uncommon and not practical for most attacks. ## Type II: Indirect file activity -There are other ways that malware can achieve fileless presence on a machine without requiring significant engineering effort. Fileless malware of this type don’t directly write files on the file system, but they can end up using files indirectly. This is the case for [Poshspy backdoor](https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html). Attackers installed a malicious PowerShell command within the WMI repository and configured a WMI filter to run such command periodically. +There are other ways that malware can achieve fileless presence on a machine without requiring significant engineering effort. Fileless malware of this type doesn't directly write files on the file system, but they can end up using files indirectly. This is the case for [Poshspy backdoor](https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html). Attackers installed a malicious PowerShell command within the WMI repository and configured a WMI filter to run such command periodically. It’s possible to carry out such installation via command line without requiring the presence of the backdoor to be on a file in the first place. The malware can thus be installed and theoretically run without ever touching the file system. However, the WMI repository is stored on a physical file that is a central storage area managed by the CIM Object Manager and usually contains legitimate data. Therefore, while the infection chain does technically use a physical file, for practical purposes it’s considered a fileless attack given that the WMI repository is a multi-purpose data container that cannot be simply detected and removed. ## Type III: Files required to operate -Some malware can have some sort of fileless persistence but not without using files in order to operate. An example for this scenario is Kovter, which creates a shell open verb handler in the registry for a random file extension. This action means that opening a file with such extension will lead to the execution of a script through the legitimate tool mshta.exe. +Some malware can have some sort of fileless persistence but not without using files to operate. An example for this scenario is Kovter, which creates a shell open verb handler in the registry for a random file extension. This action means that opening a file with such extension will lead to the execution of a script through the legitimate tool mshta.exe. ![Image of Kovter's registry key](images/kovter-reg-key.png)
    *Figure 2. Kovter’s registry key* When the open verb is invoked, the associated command from the registry is launched, which results in the execution of a small script. This script reads data from a further registry key and executes it, in turn leading to the loading of the final payload. However, to trigger the open verb in the first place, Kovter has to drop a file with the same extension targeted by the verb (in the example above, the extension is .bbf5590fd). It also has to set an auto-run key configured to open such file when the machine starts. -Despite the use of files, and despite the fact that the registry too is stored in physical files, Kovter is considered a fileless threat because the file system is of no practical use: the files with random extension contain junk data that is not usable in verifying the presence of the threat, and the files that store the registry are containers that cannot be detected and deleted if malicious content is present. +Kovter is considered a fileless threat because the file system is of no practical use: the files with random extension contain junk data that is not usable in verifying the presence of the threat, and the files that store the registry are containers that cannot be detected and deleted if malicious content is present. ## Categorizing fileless threats by infection host @@ -67,21 +67,21 @@ Having described the broad categories, we can now dig into the details and provi ### Exploits -**File-based** (Type III: executable, Flash, Java, documents): An initial file may exploit the operating system, the browser, the Java engine, the Flash engine, etc. in order to execute a shellcode and deliver a payload in memory. While the payload is fileless, the initial entry vector is a file. +**File-based** (Type III: executable, Flash, Java, documents): An initial file may exploit the operating system, the browser, the Java engine, the Flash engine, etc. to execute a shellcode and deliver a payload in memory. While the payload is fileless, the initial entry vector is a file. **Network-based** (Type I): A network communication that takes advantage of a vulnerability in the target machine can achieve code execution in the context of an application or the kernel. An example is WannaCry, which exploits a previously fixed vulnerability in the SMB protocol to deliver a backdoor within the kernel memory. ### Hardware -**Device-based** (Type I: network card, hard disk): Devices like hard disks and network cards require chipsets and dedicated software to function. A software residing and running in the chipset of a device is called a firmware. Although a complex task, the firmware can be infected by malware, as the [Equation espionage group has been caught doing](https://www.kaspersky.com/blog/equation-hdd-malware/7623/). +**Device-based** (Type I: network card, hard disk): Devices like hard disks and network cards require chipsets and dedicated software to function. Software residing and running in the chipset of a device is called firmware. Although a complex task, the firmware can be infected by malware, as the [Equation espionage group has been caught doing](https://www.kaspersky.com/blog/equation-hdd-malware/7623/). **CPU-based** (Type I): Modern CPUs are extremely complex and may include subsystems running firmware for management purposes. Such firmware may be vulnerable to hijacking and allow the execution of malicious code that would hence operate from within the CPU. In December 2017, two researchers reported a vulnerability that can allow attackers to execute code inside the [Management Engine (ME)](https://en.wikipedia.org/wiki/Intel_Management_Engine) present in any modern CPU from Intel. Meanwhile, the attacker group PLATINUM has been observed to have the capability to use Intel's [Active Management Technology (AMT)](https://en.wikipedia.org/wiki/Intel_Active_Management_Technology) to perform [invisible network communications](https://cloudblogs.microsoft.com/microsoftsecure/2017/06/07/platinum-continues-to-evolve-find-ways-to-maintain-invisibility/) bypassing the installed operating system. ME and AMT are essentially autonomous micro-computers that live inside the CPU and that operate at a very low level. Because these technologies’ purpose is to provide remote manageability, they have direct access to hardware, are independent of the operating system, and can run even if the computer is turned off. Besides being vulnerable at the firmware level, CPUs could be manufactured with backdoors inserted directly in the hardware circuitry. This attack has been [researched and proved possible](https://www.emsec.rub.de/media/crypto/veroeffentlichungen/2015/03/19/beckerStealthyExtended.pdf) in the past. Just recently it has been reported that certain models of x86 processors contain a secondary embedded RISC-like CPU core that can [effectively provide a backdoor](https://www.theregister.co.uk/2018/08/10/via_c3_x86_processor_backdoor/) through which regular applications can gain privileged execution. -**USB-based** (Type I): USB devices of all kinds can be reprogrammed with a malicious firmware capable of interacting with the operating system in nefarious ways. This is the case of the [BadUSB technique](https://arstechnica.com/information-technology/2014/07/this-thumbdrive-hacks-computers-badusb-exploit-makes-devices-turn-evil/), demonstrated few years ago, which allows a reprogrammed USB stick to act as a keyboard that sends commands to machines via keystrokes, or as a network card that can redirect traffic at will. +**USB-based** (Type I): USB devices of all kinds can be reprogrammed with malicious firmware capable of interacting with the operating system in nefarious ways. This is the case of the [BadUSB technique](https://arstechnica.com/information-technology/2014/07/this-thumbdrive-hacks-computers-badusb-exploit-makes-devices-turn-evil/), demonstrated few years ago, which allows a reprogrammed USB stick to act as a keyboard that sends commands to machines via keystrokes, or as a network card that can redirect traffic at will. **BIOS-based** (Type I): A BIOS is a firmware running inside a chipset. It executes when a machine is powered on, initializes the hardware, and then transfers control to the boot sector. It’s a very important component that operates at a very low level and executes before the boot sector. It’s possible to reprogram the BIOS firmware with malicious code, as has happened in the past with the [Mebromi rootkit](https://www.webroot.com/blog/2011/09/13/mebromi-the-first-bios-rootkit-in-the-wild/). -**Hypervisor-based** (Type I): Modern CPUs provide hardware hypervisor support, allowing the operating system to create robust virtual machines. A virtual machine runs in a confined, simulated environment, and is in theory unaware of the emulation. A malware taking over a machine may implement a small hypervisor in order to hide itself outside of the realm of the running operating system. Malware of this kind has been theorized in the past, and eventually real hypervisor rootkits [have been observed](http://seclists.org/fulldisclosure/2017/Jun/29), although very few are known to date. +**Hypervisor-based** (Type I): Modern CPUs provide hardware hypervisor support, allowing the operating system to create robust virtual machines. A virtual machine runs in a confined, simulated environment, and is in theory unaware of the emulation. A malware taking over a machine may implement a small hypervisor to hide itself outside of the realm of the running operating system. Malware of this kind has been theorized in the past, and eventually real hypervisor rootkits [have been observed](http://seclists.org/fulldisclosure/2017/Jun/29), although very few are known to date. ### Execution and injection @@ -89,12 +89,12 @@ Having described the broad categories, we can now dig into the details and provi **Macro-based** (Type III: Office documents): The [VBA language](https://msdn.microsoft.com/vba/office-shared-vba/articles/getting-started-with-vba-in-office) is a flexible and powerful tool designed to automate editing tasks and add dynamic functionality to documents. As such, it can be abused by attackers to carry out malicious operations like decoding, running, or injecting an executable payload, or even implementing an entire ransomware, like in [the case of qkG](https://blog.trendmicro.com/trendlabs-security-intelligence/qkg-filecoder-self-replicating-document-encrypting-ransomware/). Macros are executed within the context of an Office process (e.g., Winword.exe), and they’re implemented in a scripting language, so there is no binary executable that an antivirus can inspect. While Office apps require explicit consent from the user to execute macros from a document, attackers use social engineering techniques to trick users into allowing macros to execute. -**Script-based** (Type II: file, service, registry, WMI repo, shell): The JavaScript, VBScript, and PowerShell scripting languages are available by default on Windows platforms. Scripts have the same advantages as macros: they’re textual files (not binary executables) and they run within the context of the interpreter (e.g., wscript.exe, powershell.exe, etc.), which is a clean and legitimate component. Scripts are very versatile; they can be run from a file (e.g., by double-clicking them) or, in some cases, executed directly on the command line of an interpreter. Being able to run on the command line can allow malware to encode malicious command-line scripts as auto-start services inside [autorun registry keys](https://www.gdatasoftware.com/blog/2014/07/23947-poweliks-the-persistent-malware-without-a-file) as [WMI event subscriptions](https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html) from the WMI repo. Furthermore, an attacker who has gained access to an infected machine may input the script on the command prompt. +**Script-based** (Type II: file, service, registry, WMI repo, shell): The JavaScript, VBScript, and PowerShell scripting languages are available by default on Windows platforms. Scripts have the same advantages as macros: they are textual files (not binary executables) and run within the context of the interpreter (e.g., wscript.exe, powershell.exe, etc.), which is a clean and legitimate component. Scripts are very versatile; they can be run from a file (e.g., by double-clicking them) or, in some cases, executed directly on the command line of an interpreter. Being able to run on the command line can allow malware to encode malicious command-line scripts as auto-start services inside [autorun registry keys](https://www.gdatasoftware.com/blog/2014/07/23947-poweliks-the-persistent-malware-without-a-file) as [WMI event subscriptions](https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html) from the WMI repo. Furthermore, an attacker who has gained access to an infected machine may input the script on the command prompt. **Disk-based** (Type II: Boot Record): The [Boot Record](https://en.wikipedia.org/wiki/Boot_sector) is the first sector of a disk or volume and contains executable code required to start the boot process of the operating system. Threats like [Petya](https://cloudblogs.microsoft.com/microsoftsecure/2017/06/27/new-ransomware-old-techniques-petya-adds-worm-capabilities/?source=mmpc) are capable of infecting the Boot Record by overwriting it with malicious code, so that when the machine is booted the malware immediately gains control (and in the case of Petya, with disastrous consequences). The Boot Record resides outside the file system, but it’s accessible by the operating system, and modern antivirus products have the capability to scan and restore it. ## Defeating fileless malware -At Microsoft, we actively monitor the security landscape to identify new threat trends and develop solutions that continuously enhance Windows security and mitigate classes of threats. We instrument durable protections that are effective against a wide range of threats. Through AntiMalware Scan Interface (AMSI), behavior monitoring, memory scanning, and boot sector protection, Windows Defender Advanced Threat Protection [(Windows Defender ATP)](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-fileless) can inspect fileless threats even with heavy obfuscation. Machine learning technologies in the cloud allow us to scale these protections against new and emerging threats. +At Microsoft, we actively monitor the security landscape to identify new threat trends and develop solutions that continuously enhance Windows security and mitigate classes of threats. We instrument durable protections that are effective against a wide range of threats. Through AntiMalware Scan Interface (AMSI), behavior monitoring, memory scanning, and boot sector protection, Microsoft Defender Advanced Threat Protection [(Microsoft Defender ATP)](https://www.microsoft.com/en-us/windowsforbusiness?ocid=docs-fileless) can inspect fileless threats even with heavy obfuscation. Machine learning technologies in the cloud allow us to scale these protections against new and emerging threats. To learn more, read: [Out of sight but not invisible: Defeating fileless malware with behavior monitoring, AMSI, and next-gen AV](https://cloudblogs.microsoft.com/microsoftsecure/2018/09/27/out-of-sight-but-not-invisible-defeating-fileless-malware-with-behavior-monitoring-amsi-and-next-gen-av/) \ No newline at end of file diff --git a/windows/security/threat-protection/intelligence/images/PrevalentMalware18.png b/windows/security/threat-protection/intelligence/images/PrevalentMalware18.png deleted file mode 100644 index b3a4456f19..0000000000 Binary files a/windows/security/threat-protection/intelligence/images/PrevalentMalware18.png and /dev/null differ diff --git a/windows/security/threat-protection/intelligence/images/RealWorld18.png b/windows/security/threat-protection/intelligence/images/RealWorld18.png deleted file mode 100644 index 2961cbb6b2..0000000000 Binary files a/windows/security/threat-protection/intelligence/images/RealWorld18.png and /dev/null differ diff --git a/windows/security/threat-protection/intelligence/images/prevalent-malware-small.png b/windows/security/threat-protection/intelligence/images/prevalent-malware-small.png new file mode 100644 index 0000000000..15a95c2276 Binary files /dev/null and b/windows/security/threat-protection/intelligence/images/prevalent-malware-small.png differ diff --git a/windows/security/threat-protection/intelligence/images/real-world-small.png b/windows/security/threat-protection/intelligence/images/real-world-small.png new file mode 100644 index 0000000000..89bf7a1819 Binary files /dev/null and b/windows/security/threat-protection/intelligence/images/real-world-small.png differ diff --git a/windows/security/threat-protection/intelligence/index.md b/windows/security/threat-protection/intelligence/index.md index cde3c3a454..68203c0963 100644 --- a/windows/security/threat-protection/intelligence/index.md +++ b/windows/security/threat-protection/intelligence/index.md @@ -22,6 +22,6 @@ Here you will find information about different types of malware, safety tips on * [Submit files for analysis](submission-guide.md) * [Safety Scanner download](safety-scanner-download.md) -Keep up with the latest malware news and research. Check out our [Windows security blogs](https://cloudblogs.microsoft.com/microsoftsecure/?product=windows,windows-defender-advanced-threat-protection) and follow us on [Twitter](https://twitter.com/wdsecurity) for the latest news, discoveries, and protections. +Keep up with the latest malware news and research. Check out our [Microsoft Security blogs](https://www.microsoft.com/security/blog/product/windows/) and follow us on [Twitter](https://twitter.com/wdsecurity) for the latest news, discoveries, and protections. Learn more about [Windows security](https://docs.microsoft.com/windows/security/index). \ No newline at end of file diff --git a/windows/security/threat-protection/intelligence/phishing.md b/windows/security/threat-protection/intelligence/phishing.md index 8e7744a439..00b5634d69 100644 --- a/windows/security/threat-protection/intelligence/phishing.md +++ b/windows/security/threat-protection/intelligence/phishing.md @@ -135,7 +135,7 @@ Send an email with the phishing scam to **The Anti-Phishing Working Group**: rep ## Where to find more information about phishing attacks -For information on the latest Phishing attacks, techniques, and trends, you can read these entries on the [Windows Security blog](https://cloudblogs.microsoft.com/microsoftsecure/?product=windows,windows-defender-advanced-threat-protection): +For information on the latest phishing attacks, techniques, and trends, you can read these entries on the [Microsoft Security blog](https://www.microsoft.com/security/blog/product/windows/): * [Phishers unleash simple but effective social engineering techniques using PDF attachments](https://cloudblogs.microsoft.com/microsoftsecure/2017/01/26/phishers-unleash-simple-but-effective-social-engineering-techniques-using-pdf-attachments/?source=mmpc) diff --git a/windows/security/threat-protection/intelligence/prevent-malware-infection.md b/windows/security/threat-protection/intelligence/prevent-malware-infection.md index 58a9dfebdd..02d32eb70d 100644 --- a/windows/security/threat-protection/intelligence/prevent-malware-infection.md +++ b/windows/security/threat-protection/intelligence/prevent-malware-infection.md @@ -104,7 +104,7 @@ Microsoft provides comprehensive security capabilities that help protect against * [OneDrive for Business](https://support.office.com/article/restore-a-previous-version-of-a-file-in-onedrive-159cad6d-d76e-4981-88ef-de6e96c93893?ui=en-US&rs=en-US&ad=US) can back up files, which you would then use to restore files in the event of an infection. -* [Windows Defender Advanced Threat Protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection) provides comprehensive endpoint protection, detection, and response capabilities to help prevent ransomware. In the event of a breach, Windows Defender ATP alerts security operations teams about suspicious activities and automatically attempts to resolve the problem. This includes alerts for suspicious PowerShell commands, connecting to a TOR website, launching self-replicated copies, and deletion of volume shadow copies. Try Windows Defender ATP free of charge. +* [Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection) provides comprehensive endpoint protection, detection, and response capabilities to help prevent ransomware. In the event of a breach, Microsoft Defender ATP alerts security operations teams about suspicious activities and automatically attempts to resolve the problem. This includes alerts for suspicious PowerShell commands, connecting to a TOR website, launching self-replicated copies, and deletion of volume shadow copies. Try Microsoft Defender ATP free of charge. * [Windows Hello for Business](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-identity-verification) replaces passwords with strong two-factor authentication on your devices. This authentication consists of a new type of user credential that is tied to a device and uses a biometric or PIN. It lets user authenticate to an Active Directory or Azure Active Directory account. @@ -114,6 +114,6 @@ Microsoft provides comprehensive security capabilities that help protect against ## What to do with a malware infection -Windows Defender ATP antivirus capabilities helps reduce the chances of infection and will automatically remove threats that it detects. +Microsoft Defender ATP antivirus capabilities helps reduce the chances of infection and will automatically remove threats that it detects. In case threat removal is unsuccessful, read about [troubleshooting malware detection and removal problems](https://support.microsoft.com/help/4466982/windows-10-troubleshoot-problems-with-detecting-and-removing-malware). \ No newline at end of file diff --git a/windows/security/threat-protection/intelligence/safety-scanner-download.md b/windows/security/threat-protection/intelligence/safety-scanner-download.md index 69dfef35ee..fcfb430610 100644 --- a/windows/security/threat-protection/intelligence/safety-scanner-download.md +++ b/windows/security/threat-protection/intelligence/safety-scanner-download.md @@ -26,7 +26,7 @@ Microsoft Safety Scanner is a scan tool designed to find and remove malware from Safety Scanner only scans when manually triggered and is available for use 10 days after being downloaded. We recommend that you always download the latest version of this tool before each scan. -> **NOTE:** This tool does not replace your antimalware product. For real-time protection with automatic updates, use [Windows Defender Antivirus on Windows 10 and Windows 8](https://www.microsoft.com/en-us/windows/windows-defender) or [Microsoft Security Essentials on Windows 7](https://support.microsoft.com/help/14210/security-essentials-download). These antimalware products also provide powerful malware removal capabilities. If you are having difficulties removing malware with these products, you can refer to our help on [removing difficult threats](https://www.microsoft.com/en-us/wdsi/help/troubleshooting-infection). +> **NOTE:** This tool does not replace your antimalware product. For real-time protection with automatic updates, use [Windows Defender Antivirus on Windows 10 and Windows 8](https://www.microsoft.com/windows/comprehensive-security) or [Microsoft Security Essentials on Windows 7](https://support.microsoft.com/help/14210/security-essentials-download). These antimalware products also provide powerful malware removal capabilities. If you are having difficulties removing malware with these products, you can refer to our help on [removing difficult threats](https://www.microsoft.com/en-us/wdsi/help/troubleshooting-infection). > **NOTE:** Safety scanner is a portable executable and does not appear in the Windows Start menu or as an icon on the desktop. Note where you saved this download. @@ -51,4 +51,4 @@ For more information about the Safety Scanner, see the support article on [how t - [Microsoft Security Essentials](https://support.microsoft.com/help/14210/security-essentials-download) - [Removing difficult threats](https://support.microsoft.com/help/4466982/windows-10-troubleshoot-problems-with-detecting-and-removing-malware) - [Submit file for malware analysis](https://www.microsoft.com/wdsi/filesubmission) -- [Microsoft antimalware and threat protection solutions](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection) +- [Microsoft antimalware and threat protection solutions](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection) diff --git a/windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests.md b/windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests.md index c035c41d1f..849e9ef801 100644 --- a/windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests.md +++ b/windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests.md @@ -1,6 +1,6 @@ --- title: Top scoring in industry tests -description: Windows Defender ATP consistently achieves high scores in independent tests. View the latest scores and analysis. +description: Microsoft Defender ATP consistently achieves high scores in independent tests. View the latest scores and analysis. keywords: security, malware, av-comparatives, av-test, av, antivirus, windows, defender, scores, endpoint detection and response, next generation protection, MITRE, WDATP ms.prod: w10 ms.mktglfcycl: secure @@ -17,33 +17,37 @@ search.appverid: met150 # Top scoring in industry tests -Windows Defender Advanced Threat Protection ([Windows Defender ATP](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=cx-docs-avreports)) technologies consistently achieve high scores in independent tests, demonstrating the strength of its enterprise threat protection capabilities. Microsoft aims to be transparent about these test scores. This page summarizes the results and provides analysis. +Microsoft Defender Advanced Threat Protection ([Microsoft Defender ATP](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=cx-docs-avreports)) technologies consistently achieve high scores in independent tests, demonstrating the strength of its enterprise threat protection capabilities. Microsoft aims to be transparent about these test scores. This page summarizes the results and provides analysis. ## Endpoint detection & response -Windows Defender ATP [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/overview-endpoint-detection-response) capabilities provide advanced attack detections that are near real-time and actionable. Security analysts can prioritize alerts effectively, gain visibility into the full scope of a breach, and take response actions to remediate threats. +Microsoft Defender ATP [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) capabilities provide advanced attack detections that are near real-time and actionable. Security analysts can prioritize alerts effectively, gain visibility into the full scope of a breach, and take response actions to remediate threats. ### MITRE: Industry-leading optics and detection capabilities MITRE tested the ability of products to detect techniques commonly used by the targeted attack group APT3 (also known as Boron or UPS). To isolate detection capabilities, all protection and prevention features were turned off. Microsoft is happy to be one of the first EDR vendors to sign up for the MITRE evaluation based on the ATT&CK framework, widely regarded today as the most comprehensive catalog of attacker techniques and tactics. -- ATT&CK-based evaluation: [Leading optics and detection capabilities](https://attackevals.mitre.org/) | [Analysis](https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/insights-from-the-mitre-attack-based-evaluation-of-windows-defender-atp/) +- ATT&CK-based evaluation: [Leading optics and detection capabilities](https://www.microsoft.com/security/blog/2018/12/03/insights-from-the-mitre-attack-based-evaluation-of-windows-defender-atp/) | [Analysis](https://techcommunity.microsoft.com/t5/Windows-Defender-ATP/MITRE-evaluation-highlights-industry-leading-EDR-capabilities-in/ba-p/369831) - Windows Defender ATP delivered comprehensive coverage of attacker techniques across the entire attack chain. Highlights included the breadth of telemetry, the strength of threat intelligence, and the advanced, automatic detection through machine learning, heuristics, and behavior monitoring. + Microsoft Defender ATP delivered comprehensive coverage of attacker techniques across the entire attack chain. Highlights included the breadth of telemetry, the strength of threat intelligence, and the advanced, automatic detection through machine learning, heuristics, and behavior monitoring. ## Next generation protection [Windows Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10?ocid=cx-docs-avreports) consistently performs highly in independent tests, displaying how it is a top choice in the antivirus market. Note that these tests only provide results for antivirus and do not test for additional security protections. -Windows Defender Antivirus is part of the [next generation](https://www.youtube.com/watch?v=Xy3MOxkX_o4) Window Defender ATP security stack which addresses the latest and most sophisticated threats today. In some cases, customers might not even know they were protected because a cyberattack is stopped [milliseconds after a campaign starts](https://cloudblogs.microsoft.com/microsoftsecure/2018/03/07/behavior-monitoring-combined-with-machine-learning-spoils-a-massive-dofoil-coin-mining-campaign?ocid=cx-docs-avreports). That's because Windows Defender Antivirus detects and stops malware at first sight by using [machine learning](https://cloudblogs.microsoft.com/microsoftsecure/2018/06/07/machine-learning-vs-social-engineering?ocid=cx-docs-avreports), [artificial intelligence](https://cloudblogs.microsoft.com/microsoftsecure/2018/02/14/how-artificial-intelligence-stopped-an-emotet-outbreak?ocid=cx-docs-avreports), behavioral analysis, and other advanced technologies. +Windows Defender Antivirus is part of the [next generation](https://www.youtube.com/watch?v=Xy3MOxkX_o4) Microsoft Defender ATP security stack which addresses the latest and most sophisticated threats today. In some cases, customers might not even know they were protected because a cyberattack is stopped [milliseconds after a campaign starts](https://cloudblogs.microsoft.com/microsoftsecure/2018/03/07/behavior-monitoring-combined-with-machine-learning-spoils-a-massive-dofoil-coin-mining-campaign?ocid=cx-docs-avreports). That's because Windows Defender Antivirus detects and stops malware at first sight by using [machine learning](https://cloudblogs.microsoft.com/microsoftsecure/2018/06/07/machine-learning-vs-social-engineering?ocid=cx-docs-avreports), [artificial intelligence](https://cloudblogs.microsoft.com/microsoftsecure/2018/02/14/how-artificial-intelligence-stopped-an-emotet-outbreak?ocid=cx-docs-avreports), behavioral analysis, and other advanced technologies. ### AV-TEST: Protection score of 6.0/6.0 in the latest test The AV-TEST Product Review and Certification Report tests on three categories: protection, performance, and usability. The scores listed below are for the Protection category which has two scores: Real-World Testing and the AV-TEST reference set (known as "Prevalent Malware"). -- January - February 2019 AV-TEST Business User test: [Protection score 6.0/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/february-2019/microsoft-windows-defender-antivirus-4.18-190611/) **Latest** +- March - April 2019 AV-TEST Business User test: [Protection score 6.0/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/april-2019/microsoft-windows-defender-antivirus-4.18-191517/) **Latest** - Windows Defender Antivirus achieved an overall Protection score of 6.0/6.0, with 19,956 malware samples used. This is the fifth consecutive cycle that Windows Defender Antivirus achieved a perfect score. + Windows Defender Antivirus achieved an overall Protection score of 6.0/6.0, with 6,849 malware samples used. This is the sixth consecutive cycle that Windows Defender Antivirus achieved a perfect Protection score. + +- January - February 2019 AV-TEST Business User test: [Protection score 6.0/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/february-2019/microsoft-windows-defender-antivirus-4.18-190611/) + + Windows Defender Antivirus achieved an overall Protection score of 6.0/6.0, with 13,977 malware samples used. - November - December 2018 AV-TEST Business User test: [Protection score 6.0/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/december-2018/microsoft-windows-defender-antivirus-4.18-185074/) | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWusR9) @@ -61,25 +65,21 @@ The AV-TEST Product Review and Certification Report tests on three categories: p Windows Defender Antivirus achieved an overall Protection score of 6.0/6.0, detecting 100% of 5,790 malware samples. -- March - April 2018 AV-TEST Business User test: [Protection score 5.5/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/april-2018/microsoft-windows-defender-antivirus-4.12-181574/) | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2ouJA?ocid=cx-docs-avreports) - - Windows Defender Antivirus achieved an overall Protection score of 5.5/6.0, missing 2 out of 5,680 malware samples (0.035% miss rate). - -- January - February 2018 AV-TEST Business User test: [Protection score 6.0/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/february-2018/microsoft-windows-defender-antivirus-4.12-180674/) | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE27O5A?ocid=cx-docs-avreports) - - Windows Defender Antivirus achieved an overall Protection score of 6.0/6.0, with 5,105 malware samples tested. - ||| |---|---| -|![Graph describing Real-World detection rate](./images/RealWorld18.png)|![Graph describing Prevalent Malware](./images/PrevalentMalware18.png)| +|![Graph describing Real-World detection rate](./images/real-world-small.png)|![Graph describing Prevalent Malware](./images/prevalent-malware-small.png)| -### AV-Comparatives: Protection rating of 99.6% in the latest test +### AV-Comparatives: Protection rating of 99.7% in the latest test AV-Comparatives is an independent organization offering systematic testing for security software such as PC/Mac-based antivirus products and mobile security solutions. -- Real-World Protection Test Enterprise August - November 2018: [Protection Rate 99.6%](https://www.av-comparatives.org/tests/real-world-protection-test-enterprise-august-november-2018-testresult/) **Latest** +- Real-World Protection Test Enterprise March - April 2019: [Protection Rate 99.7%](https://www.av-comparatives.org/tests/real-world-protection-test-enterprise-march-april-2019-testresult/) **Latest** - This test, as defined by AV-Comparatives, attempts to assess the effectiveness of each security program to protect a computer against active malware threats while online. The test set contained 1207 test cases (such as malicious URLs). + This test, as defined by AV-Comparatives, attempts to assess the effectiveness of each security program to protect a computer against active malware threats while online. The test set contained 389 test cases (such as malicious URLs). + +- Real-World Protection Test Enterprise August - November 2018: [Protection Rate 99.6%](https://www.av-comparatives.org/tests/real-world-protection-test-enterprise-august-november-2018-testresult/) + + The test set contained 1,207 test cases (such as malicious URLs). - Malware Protection Test Enterprise August 2018: [Protection Rate 99.9%](https://www.av-comparatives.org/tests/malware-protection-test-enterprise-august-2018-testresult/) @@ -89,12 +89,6 @@ AV-Comparatives is an independent organization offering systematic testing for s The test set contained 1,163 test cases (such as malicious URLs). -- Malware Protection Test Enterprise March 2018: [Protection Rate 99.9%](https://www.av-comparatives.org/tests/malware-protection-test-enterprise-march-2018-testresult/) - - For this test, 1,470 recent malware samples were used. - -[Historical AV-Comparatives Microsoft tests](https://www.av-comparatives.org/vendors/microsoft/) - ### SE Labs: Total accuracy rating of AAA in the latest test SE Labs tests a range of solutions used by products and services to detect and/or protect against attacks, including endpoint software, network appliances, and cloud services. @@ -115,6 +109,6 @@ SE Labs tests a range of solutions used by products and services to detect and/o It is important to remember that Microsoft sees a wider and broader set of threats beyond what’s tested in the evaluations highlighted above. For example, in an average month, we identify over 100 million new threats. Even if an independent tester can acquire and test 1% of those threats, that is a million tests across 20 or 30 products. In other words, the vastness of the malware landscape makes it extremely difficult to evaluate the quality of protection against real world threats. -The capabilities within [Windows Defender ATP](https://www.microsoft.com/en-us/windowsforbusiness?ocid=cx-docs-avreports) provide [additional layers of protection](https://cloudblogs.microsoft.com/microsoftsecure/2017/12/11/detonating-a-bad-rabbit-windows-defender-antivirus-and-layered-machine-learning-defenses?ocid=cx-docs-avreports) that are not factored into industry tests, and address some of the latest and most sophisticated threats. Isolating AV from the rest of Windows Defender ATP creates a partial picture of how our security stack operates in the real world. For example, attack surface reduction and endpoint detection & response capabilities can help prevent malware from getting onto devices in the first place. We have proven that [Windows Defender ATP components catch samples](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2ouJA?ocid=cx-docs-avreports) that Windows Defender Antivirus missed in these industry tests, which is more representative of how effectively our security suite protects customers in the real world. +The capabilities within [Microsoft Defender ATP](https://www.microsoft.com/en-us/windowsforbusiness?ocid=cx-docs-avreports) provide [additional layers of protection](https://cloudblogs.microsoft.com/microsoftsecure/2017/12/11/detonating-a-bad-rabbit-windows-defender-antivirus-and-layered-machine-learning-defenses?ocid=cx-docs-avreports) that are not factored into industry tests, and address some of the latest and most sophisticated threats. Isolating AV from the rest of Microsoft Defender ATP creates a partial picture of how our security stack operates in the real world. For example, attack surface reduction and endpoint detection & response capabilities can help prevent malware from getting onto devices in the first place. We have proven that [Microsoft Defender ATP components catch samples](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2ouJA?ocid=cx-docs-avreports) that Windows Defender Antivirus missed in these industry tests, which is more representative of how effectively our security suite protects customers in the real world. -Using independent tests, customers can view one aspect of their security suite but can't assess the complete protection of all the security features. Microsoft is highly engaged in working with several independent testers to evolve security testing to focus on the end-to-end security stack. In the meantime, customers can evaluate Windows Defender Advanced Threat Protection in their own networks by signing up for a [90-day trial of Windows Defender ATP](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=cx-docs-avreports), or [enabling Preview features on existing tenants](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/preview-settings-windows-defender-advanced-threat-protection?ocid=cx-docs-avreports). \ No newline at end of file +Using independent tests, customers can view one aspect of their security suite but can't assess the complete protection of all the security features. Microsoft is highly engaged in working with several independent testers to evolve security testing to focus on the end-to-end security stack. In the meantime, customers can evaluate Microsoft Defender Advanced Threat Protection in their own networks by signing up for a [90-day trial of Microsoft Defender ATP](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=cx-docs-avreports), or [enabling Preview features on existing tenants](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/preview-settings-windows-defender-advanced-threat-protection?ocid=cx-docs-avreports). \ No newline at end of file diff --git a/windows/security/threat-protection/intelligence/understanding-malware.md b/windows/security/threat-protection/intelligence/understanding-malware.md index 28f670b9f3..ef84e9e059 100644 --- a/windows/security/threat-protection/intelligence/understanding-malware.md +++ b/windows/security/threat-protection/intelligence/understanding-malware.md @@ -14,13 +14,13 @@ ms.collection: M365-security-compliance ms.topic: conceptual search.appverid: met150 --- -# Understanding malware & other threats +# Understanding malware & other threats Malware is a term used to describe malicious applications and code that can cause damage and disrupt normal use of devices. Malware can allow unauthorized access, use system resources, steal passwords, lock you out of your computer and ask for ransom, and more. Cybercriminals that distribute malware are often motivated by money and will use infected computers to launch attacks, obtain banking credentials, collect information that can be sold, sell access to computing resources, or extort payment from victims. -As criminals become more sophisticated with their attacks, Microsoft is here to help. Windows 10 is the most secure version of Windows yet and includes many features to help protect you whether you're at home, at work, or on the go. With Windows Defender Advanced Threat Protection ([Windows Defender ATP](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=cx-docs-avreports)), businesses can stay protected with next-generation protection and other security capabilities. +As criminals become more sophisticated with their attacks, Microsoft is here to help. Windows 10 is the most secure version of Windows yet and includes many features to help protect you whether you're at home, at work, or on the go. With Microsoft Defender Advanced Threat Protection ([Microsoft Defender ATP](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp)), businesses can stay protected with next-generation protection and other security capabilities. For good general tips, check out the [prevent malware infection](prevent-malware-infection.md) topic. @@ -38,6 +38,6 @@ There are many types of malware, including: - [Unwanted software](unwanted-software.md) - [Worms](worms-malware.md) -Keep up with the latest malware news and research. Check out our [Windows security blogs](https://aka.ms/wdsecurityblog) and follow us on [Twitter](https://twitter.com/wdsecurity) for the latest news, discoveries, and protections. +Keep up with the latest malware news and research. Check out our [Microsoft security blogs](https://www.microsoft.com/security/blog/product/windows/) and follow us on [Twitter](https://twitter.com/wdsecurity) for the latest news, discoveries, and protections. Learn more about [Windows security](https://docs.microsoft.com/windows/security/index). \ No newline at end of file diff --git a/windows/security/threat-protection/intelligence/unwanted-software.md b/windows/security/threat-protection/intelligence/unwanted-software.md index ed1811238e..0e21b773e3 100644 --- a/windows/security/threat-protection/intelligence/unwanted-software.md +++ b/windows/security/threat-protection/intelligence/unwanted-software.md @@ -34,7 +34,7 @@ Here are some indications of unwanted software: Some indicators are harder to recognize because they are less disruptive, but are still unwanted. For example, unwanted software can modify web pages to display specific ads, monitor browsing activities, or remove control of the browser. -Microsoft uses an extensive [evaluation criteria](https://docs.microsoft.com/windows/security/threat-protection/intelligence/criteria) to identify unwanted software. +Microsoft uses an extensive [evaluation criteria](criteria.md) to identify unwanted software. ## How to protect against unwanted software @@ -42,7 +42,7 @@ To prevent unwanted software infection, download software only from official web Use [Microsoft Edge](https://docs.microsoft.com/microsoft-edge/deploy/index) when browsing the internet. Microsoft Edge includes additional protections that effectively block browser modifiers that can change your browser settings. Microsoft Edge also blocks known websites hosting unwanted software using [SmartScreen](https://docs.microsoft.com/microsoft-edge/deploy/index) (also used by Internet Explorer). -Enable [Windows Defender AV](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) in Windows 10. It provides real-time protection against threats and detects and removes known unwanted software. +Enable [Windows Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) in Windows 10. It provides real-time protection against threats and detects and removes known unwanted software. Download [Microsoft Security Essentials](https://www.microsoft.com/download/details.aspx?id=5201) for real-time protection in Windows 7 or Windows Vista. diff --git a/windows/security/threat-protection/intelligence/worms-malware.md b/windows/security/threat-protection/intelligence/worms-malware.md index eea3dbea97..dece4574a6 100644 --- a/windows/security/threat-protection/intelligence/worms-malware.md +++ b/windows/security/threat-protection/intelligence/worms-malware.md @@ -43,7 +43,7 @@ This image shows how a worm can quickly spread through a shared USB drive. ## How to protect against worms -Enable [Windows Defender AV](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) in Windows 10. It provides real-time protection against threats and detects and removes known unwanted software. +Enable [Windows Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) in Windows 10. It provides real-time protection against threats and detects and removes known unwanted software. Download [Microsoft Security Essentials](https://www.microsoft.com/download/details.aspx?id=5201) for real-time protection in Windows 7 or Windows Vista. diff --git a/windows/security/threat-protection/microsoft-defender-atp/TOC.md b/windows/security/threat-protection/microsoft-defender-atp/TOC.md index 1a5081adff..87334d65be 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/TOC.md +++ b/windows/security/threat-protection/microsoft-defender-atp/TOC.md @@ -98,7 +98,7 @@ #### [Managed security service provider support](mssp-support.md) ### [Microsoft Threat Protection](threat-protection-integration.md) -#### [Protect users, data, and devices with conditional access](conditional-access.md) +#### [Protect users, data, and devices with Conditional Access](conditional-access.md) #### [Microsoft Cloud App Security in Windows overview](microsoft-cloud-app-security-integration.md) #### [Information protection in Windows overview](information-protection-in-windows-overview.md) ##### [Use sensitivity labels to prioritize incident response ](information-protection-investigation.md) @@ -361,7 +361,7 @@ #### [Configure managed security service provider (MSSP) support](configure-mssp-support.md) ### Configure Microsoft Threat Protection integration -#### [Configure conditional access](configure-conditional-access.md) +#### [Configure Conditional Access](configure-conditional-access.md) #### [Configure Microsoft Cloud App Security in Windows](microsoft-cloud-app-security-config.md) ####[Configure information protection in Windows](information-protection-in-windows-config.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/conditional-access.md b/windows/security/threat-protection/microsoft-defender-atp/conditional-access.md index f4a0532ef7..396e2730fb 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/conditional-access.md +++ b/windows/security/threat-protection/microsoft-defender-atp/conditional-access.md @@ -1,6 +1,6 @@ --- -title: Enable conditional access to better protect users, devices, and data -description: Enable conditional access to prevent applications from running if a device is considered at risk and an application is determined to be non-compliant. +title: Enable Conditional Access to better protect users, devices, and data +description: Enable Conditional Access to prevent applications from running if a device is considered at risk and an application is determined to be non-compliant. keywords: conditional access, block applications, security level, intune, search.product: eADQiWindows 10XVcnh search.appverid: met150 @@ -17,7 +17,7 @@ ms.collection: M365-security-compliance ms.topic: article --- -# Enable conditional access to better protect users, devices, and data +# Enable Conditional Access to better protect users, devices, and data **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) @@ -26,26 +26,26 @@ ms.topic: article >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-conditionalaccess-abovefoldlink) -Conditional access is a capability that helps you better protect your users and enterprise information by making sure that only secure devices have access to applications. +Conditional Access is a capability that helps you better protect your users and enterprise information by making sure that only secure devices have access to applications. -With conditional access, you can control access to enterprise information based on the risk level of a device. This helps keep trusted users on trusted devices using trusted applications. +With Conditional Access, you can control access to enterprise information based on the risk level of a device. This helps keep trusted users on trusted devices using trusted applications. You can define security conditions under which devices and applications can run and access information from your network by enforcing policies to stop applications from running until a device returns to a compliant state. -The implementation of conditional access in Microsoft Defender ATP is based on Microsoft Intune (Intune) device compliance policies and Azure Active Directory (Azure AD) conditional access policies. +The implementation of Conditional Access in Microsoft Defender ATP is based on Microsoft Intune (Intune) device compliance policies and Azure Active Directory (Azure AD) conditional access policies. -The compliance policy is used with conditional access to allow only devices that fulfill one or more device compliance policy rules to access applications. +The compliance policy is used with Conditional Access to allow only devices that fulfill one or more device compliance policy rules to access applications. -## Understand the conditional access flow -Conditional access is put in place so that when a threat is seen on a device, access to sensitive content is blocked until the threat is remediated. +## Understand the Conditional Access flow +Conditional Access is put in place so that when a threat is seen on a device, access to sensitive content is blocked until the threat is remediated. The flow begins with machines being seen to have a low, medium, or high risk. These risk determinations are then sent to Intune. -Depending on how you configure policies in Intune, conditional access can be set up so that when certain conditions are met, the policy is applied. +Depending on how you configure policies in Intune, Conditional Access can be set up so that when certain conditions are met, the policy is applied. -For example, you can configure Intune to apply conditional access on devices that have a high risk. +For example, you can configure Intune to apply Conditional Access on devices that have a high risk. -In Intune, a device compliance policy is used in conjunction with Azure AD conditional access to block access to applications. In parallel, an automated investigation and remediation process is launched. +In Intune, a device compliance policy is used in conjunction with Azure AD Conditional Access to block access to applications. In parallel, an automated investigation and remediation process is launched. A user can still use the device while the automated investigation and remediation is taking place, but access to enterprise data is blocked until the threat is fully remediated. @@ -54,23 +54,23 @@ To resolve the risk found on a device, you'll need to return the device to a com There are three ways to address a risk: 1. Use Manual or automated remediation. 2. Resolve active alerts on the machine. This will remove the risk from the machine. -3. You can remove the machine from the active policies and consequently, conditional access will not be applied on the machine. +3. You can remove the machine from the active policies and consequently, Conditional Access will not be applied on the machine. -Manual remediation requires a secops admin to investigate an alert and address the risk seen on the device. The automated remediation is configured through configuration settings provided in the following section, [Configure conditional access](configure-conditional-access.md). +Manual remediation requires a secops admin to investigate an alert and address the risk seen on the device. The automated remediation is configured through configuration settings provided in the following section, [Configure Conditional Access](configure-conditional-access.md). When the risk is removed either through manual or automated remediation, the device returns to a compliant state and access to applications is granted. -The following example sequence of events explains conditional access in action: +The following example sequence of events explains Conditional Access in action: 1. A user opens a malicious file and Microsoft Defender ATP flags the device as high risk. 2. The high risk assessment is passed along to Intune. In parallel, an automated investigation is initiated to remediate the identified threat. A manual remediation can also be done to remediate the identified threat. -3. Based on the policy created in Intune, the device is marked as not compliant. The assessment is then communicated to Azure AD by the Intune conditional access policy. In Azure AD, the corresponding policy is applied to block access to applications. +3. Based on the policy created in Intune, the device is marked as not compliant. The assessment is then communicated to Azure AD by the Intune Conditional Access policy. In Azure AD, the corresponding policy is applied to block access to applications. 4. The manual or automated investigation and remediation is completed and the threat is removed. Microsoft Defender ATP sees that there is no risk on the device and Intune assesses the device to be in a compliant state. Azure AD applies the policy which allows access to applications. 5. Users can now access applications. ## Related topic -- [Configure conditional access in Microsoft Defender ATP](configure-conditional-access.md) +- [Configure Conditional Access in Microsoft Defender ATP](configure-conditional-access.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-conditional-access.md b/windows/security/threat-protection/microsoft-defender-atp/configure-conditional-access.md index 87e9fe515f..e6023b38fc 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-conditional-access.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-conditional-access.md @@ -1,5 +1,5 @@ --- -title: Configure conditional access in Microsoft Defender ATP +title: Configure Conditional Access in Microsoft Defender ATP description: keywords: search.product: eADQiWindows 10XVcnh @@ -18,11 +18,11 @@ ms.topic: article ms.date: 09/03/2018 --- -# Configure conditional access in Microsoft Defender ATP +# Configure Conditional Access in Microsoft Defender ATP **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -This section guides you through all the steps you need to take to properly implement conditional access. +This section guides you through all the steps you need to take to properly implement Conditional Access. ### Before you begin >[!WARNING] @@ -43,12 +43,12 @@ There are steps you'll need to take in Microsoft Defender Security Center, the I > [!NOTE] > You'll need a Microsoft Intune environment, with Intune managed and Azure AD joined Windows 10 devices. -Take the following steps to enable conditional access: +Take the following steps to enable Conditional Access: - Step 1: Turn on the Microsoft Intune connection from Microsoft Defender Security Center - Step 2: Turn on the Microsoft Defender ATP integration in Intune - Step 3: Create the compliance policy in Intune - Step 4: Assign the policy -- Step 5: Create an Azure AD conditional access policy +- Step 5: Create an Azure AD Conditional Access policy ### Step 1: Turn on the Microsoft Intune connection @@ -85,17 +85,17 @@ Take the following steps to enable conditional access: 4. Include or exclude your Azure AD groups to assign them the policy. 5. To deploy the policy to the groups, select **Save**. The user devices targeted by the policy are evaluated for compliance. -### Step 5: Create an Azure AD conditional access policy -1. In the [Azure portal](https://portal.azure.com), open **Azure Active Directory** > **Conditional access** > **New policy**. +### Step 5: Create an Azure AD Conditional Access policy +1. In the [Azure portal](https://portal.azure.com), open **Azure Active Directory** > **Conditional Access** > **New policy**. 2. Enter a policy **Name**, and select **Users and groups**. Use the Include or Exclude options to add your groups for the policy, and select **Done**. 3. Select **Cloud apps**, and choose which apps to protect. For example, choose **Select apps**, and select **Office 365 SharePoint Online** and **Office 365 Exchange Online**. Select **Done** to save your changes. 4. Select **Conditions** > **Client apps** to apply the policy to apps and browsers. For example, select **Yes**, and then enable **Browser** and **Mobile apps and desktop clients**. Select **Done** to save your changes. -5. Select **Grant** to apply conditional access based on device compliance. For example, select **Grant access** > **Require device to be marked as compliant**. Choose **Select** to save your changes. +5. Select **Grant** to apply Conditional Access based on device compliance. For example, select **Grant access** > **Require device to be marked as compliant**. Choose **Select** to save your changes. 6. Select **Enable policy**, and then **Create** to save your changes. -For more information, see [Enable Microsoft Defender ATP with conditional access in Intune](https://docs.microsoft.com/intune/advanced-threat-protection). +For more information, see [Enable Microsoft Defender ATP with Conditional Access in Intune](https://docs.microsoft.com/intune/advanced-threat-protection). >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-conditionalaccess-belowfoldlink) diff --git a/windows/security/threat-protection/microsoft-defender-atp/live-response.md b/windows/security/threat-protection/microsoft-defender-atp/live-response.md index 8989f06877..358e414a2d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/live-response.md +++ b/windows/security/threat-protection/microsoft-defender-atp/live-response.md @@ -107,7 +107,7 @@ help | Provides help information for live response commands. persistence | Shows all known persistence methods on the machine. processes | Shows all processes running on the machine. registry | Shows registry values. -sheduledtasks| Shows all scheduled tasks on the machine. +scheduledtasks| Shows all scheduled tasks on the machine. services | Shows all services on the machine. trace | Sets the terminal's logging mode to debug. diff --git a/windows/security/threat-protection/microsoft-defender-atp/portal-overview.md b/windows/security/threat-protection/microsoft-defender-atp/portal-overview.md index 8734d8b92a..a6fcc5d848 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/portal-overview.md +++ b/windows/security/threat-protection/microsoft-defender-atp/portal-overview.md @@ -17,7 +17,7 @@ ms.collection: M365-security-compliance ms.topic: conceptual --- -# Microsoft Defender Advanced Threat Protection portal overview +# Microsoft Defender Security Center portal overview **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) diff --git a/windows/security/threat-protection/microsoft-defender-atp/threat-protection-integration.md b/windows/security/threat-protection/microsoft-defender-atp/threat-protection-integration.md index 1c97445131..14c2504769 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/threat-protection-integration.md +++ b/windows/security/threat-protection/microsoft-defender-atp/threat-protection-integration.md @@ -40,8 +40,8 @@ Microsoft Defender ATP provides a comprehensive server protection solution, incl ## Azure Information Protection Keep sensitive data secure while enabling productivity in the workplace through data data discovery and data protection. -## Conditional access -Microsoft Defender ATP's dynamic machine risk score is integrated into the conditional access evaluation, ensuring that only secure devices have access to resources. +## Conditional Access +Microsoft Defender ATP's dynamic machine risk score is integrated into the Conditional Access evaluation, ensuring that only secure devices have access to resources. ## Microsoft Cloud App Security @@ -56,7 +56,7 @@ The Skype for Business integration provides s a way for analysts to communicate ## Related topic -- [Protect users, data, and devices with conditional access](conditional-access.md) +- [Protect users, data, and devices with Conditional Access](conditional-access.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md b/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md index 619b30d34a..b25652932d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md +++ b/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md @@ -100,7 +100,7 @@ Query data using Advanced hunting in Microsoft Defender ATP. >[!NOTE] >Available from Windows 10, version 1803 or later. -- [Conditional access](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/conditional-access-windows-defender-advanced-threat-protection)
    Enable conditional access to better protect users, devices, and data. +- [Conditional Access](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/conditional-access-windows-defender-advanced-threat-protection)
    Enable conditional access to better protect users, devices, and data. - [Microsoft Defender ATP Community center](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/community-windows-defender-advanced-threat-protection)
    The Microsoft Defender ATP Community Center is a place where community members can learn, collaborate, and share experiences about the product. diff --git a/windows/security/threat-protection/security-compliance-toolkit-10.md b/windows/security/threat-protection/security-compliance-toolkit-10.md index fe229e350d..faa63ea948 100644 --- a/windows/security/threat-protection/security-compliance-toolkit-10.md +++ b/windows/security/threat-protection/security-compliance-toolkit-10.md @@ -26,6 +26,7 @@ The SCT enables administrators to effectively manage their enterprise’s Group The Security Compliance Toolkit consists of: - Windows 10 security baselines + - Windows 10 Version 1903 (May 2019 Update) - Windows 10 Version 1809 (October 2018 Update) - Windows 10 Version 1803 (April 2018 Update) - Windows 10 Version 1709 (Fall Creators Update) @@ -69,4 +70,4 @@ LGPO.exe can import and apply settings from Registry Policy (Registry.pol) files It can export local policy to a GPO backup. It can export the contents of a Registry Policy file to the “LGPO text” format that can then be edited, and can build a Registry Policy file from an LGPO text file. -Documentation for the LGPO tool can be found on the [Microsoft Security Guidance blog](https://blogs.technet.microsoft.com/secguide/2016/01/21/lgpo-exe-local-group-policy-object-utility-v1-0/) or by [downloading the tool](https://www.microsoft.com/download/details.aspx?id=55319). \ No newline at end of file +Documentation for the LGPO tool can be found on the [Microsoft Security Guidance blog](https://blogs.technet.microsoft.com/secguide/2016/01/21/lgpo-exe-local-group-policy-object-utility-v1-0/) or by [downloading the tool](https://www.microsoft.com/download/details.aspx?id=55319). diff --git a/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption.md b/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption.md index e62f0051cb..b0715daedf 100644 --- a/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption.md +++ b/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption.md @@ -69,6 +69,9 @@ Enabling this policy setting allows the operating system to store passwords in a Disable the **Store password using reversible encryption** policy setting. +>[!Note] +> When policy settings are disabled, only new passwords will be stored using one-way encryption by default. Existing passwords will be stored using reversible encryption until they are changed. + ### Potential impact If your organization uses CHAP through remote access or IAS, or Digest Authentication in IIS, you must configure this policy setting to Enabled. This presents a security risk when you apply the setting through Group Policy on a user-by-user basis because it requires the appropriate user account object to be opened in Active Directory Users and Computers. diff --git a/windows/security/threat-protection/windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md index 901c6c4995..471d647e37 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md @@ -26,7 +26,7 @@ You can manage and configure Windows Defender Antivirus with the following tools - System Center Configuration Manager - Group Policy - PowerShell cmdlets -- Windows Management Instruction (WMI) +- Windows Management Instrumentation (WMI) - The mpcmdrun.exe utility The topics in this section provide further information, links, and resources for using these tools to manage and configure Windows Defender Antivirus. diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md index b895c48fac..e39c054561 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md @@ -95,7 +95,16 @@ Security intelligence and product updates Upload location for files submitted to Microsoft via the Submission form or automatic sample submission -*.blob.core.windows.net +ussus1eastprod.blob.core.windows.net
    +ussus1westprod.blob.core.windows.net
    +usseu1northprod.blob.core.windows.net
    +usseu1westprod.blob.core.windows.net
    +ussuk1southprod.blob.core.windows.net
    +ussuk1westprod.blob.core.windows.net
    +ussas1eastprod.blob.core.windows.net
    +ussas1southeastprod.blob.core.windows.net
    +ussau1eastprod.blob.core.windows.net
    +ussau1southeastprod.blob.core.windows.net
    diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus.md index 4da87e4759..e08175533a 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus.md @@ -73,7 +73,7 @@ Hiding notifications can be useful in situations where you can't hide the entire > [!NOTE] > Hiding notifications will only occur on endpoints to which the policy has been deployed. Notifications related to actions that must be taken (such as a reboot) will still appear on the [System Center Configuration Manager Endpoint Protection monitoring dashboard and reports](https://docs.microsoft.com/sccm/protect/deploy-use/monitor-endpoint-protection). -See [Customize the Windows Security app for your organization](/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md) for instructions to add custom contact information to the notifications that users see on their machines. +See [Customize the Windows Security app for your organization](../windows-defender-security-center/windows-defender-security-center.md) for instructions to add custom contact information to the notifications that users see on their machines. **Use Group Policy to hide notifications:** diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_26_Uninstall.png b/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_26_Uninstall.png index aa0d5c7caf..6463593a6c 100644 Binary files a/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_26_Uninstall.png and b/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_26_Uninstall.png differ diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_2_DownloadPackages.png b/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_2_DownloadPackages.png new file mode 100644 index 0000000000..cc63efe4a4 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_2_DownloadPackages.png differ diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_2_IntuneAppUtil.png b/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_2_IntuneAppUtil.png deleted file mode 100644 index 1bc70e06c0..0000000000 Binary files a/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_2_IntuneAppUtil.png and /dev/null differ diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-intune.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-intune.md index 695a6be30d..ea48873f29 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-intune.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-intune.md @@ -40,7 +40,7 @@ Download the installation and onboarding packages from Microsoft Defender Securi 4. In Section 2 of the page, select **Download onboarding package**. Save it as _WindowsDefenderATPOnboardingPackage.zip_ to the same directory. 5. Download **IntuneAppUtil** from [https://docs.microsoft.com/en-us/intune/lob-apps-macos](https://docs.microsoft.com/en-us/intune/lob-apps-macos). - ![Windows Defender Security Center screenshot](images/MDATP_2_IntuneAppUtil.png) + ![Windows Defender Security Center screenshot](images/MDATP_2_DownloadPackages.png) 6. From a command prompt, verify that you have the three files. Extract the contents of the .zip files: diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md index fd9c3d6b85..b3b990dbde 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md @@ -41,7 +41,7 @@ Download the installation and onboarding packages from Windows Defender Security 3. In Section 2 of the page, select **Download installation package**. Save it as _wdav.pkg_ to a local directory. 4. In Section 2 of the page, select **Download onboarding package**. Save it as _WindowsDefenderATPOnboardingPackage.zip_ to the same directory. - ![Windows Defender Security Center screenshot](images/MDATP_2_IntuneAppUtil.png) + ![Windows Defender Security Center screenshot](images/MDATP_2_DownloadPackages.png) 5. From the command prompt, verify that you have the two files. Extract the contents of the .zip files like so: @@ -70,7 +70,7 @@ The configuration profile contains a custom settings payload that includes: - Microsoft Defender ATP for Mac onboarding information - Approved Kernel Extensions payload, to enable running the Microsoft kernel driver -To set the onboarding information, upload a property list file with the name, _jamf/WindowsDefenderATPOnboarding.plist_. +To set the onboarding information, add a property list file with the name, _jamf/WindowsDefenderATPOnboarding.plist_, as a custom setting. You can do this by navigating to **Computers**>**Configuration Profiles**, selecting **New**, then choosing **Custom Settings**>**Configure**. From there, you can upload the property list. >[!IMPORTANT] > You must set the the Preference Domain as "com.microsoft.wdav.atp" @@ -104,8 +104,8 @@ Use the **Logs** tab to monitor deployment status for each enrolled device. ![Computer management packages screenshot](images/MDATP_19_MicrosoftDefenderWDAVPKG.png) -2. Upload wdav.pkg to the Distribution Point. -3. In the **filename** field, enter the name of the package. For example, wdav.pkg. +2. Upload the package to the Distribution Point. +3. In the **filename** field, enter the name of the package. For example, _wdav.pkg_. ### Policy @@ -133,7 +133,7 @@ After a moment, the device's User Approved MDM status will change to **Yes**. ![MDM status screenshot](images/MDATP_23_MDMStatus.png) -You may now enroll additional devices. You can also enroll them later, after you have finished provisioning system configuration and application packages. +You may now enroll additional devices. You may also enroll them later, after you have finished provisioning system configuration and application packages. ## Deployment @@ -150,11 +150,11 @@ You can monitor deployment status in the **Logs** tab: ### Status on client device -After the Configuration Profile is deployed, you'll see the profile on the device in **System Preferences > Profiles >**, under the name of the configuration profile. +After the Configuration Profile is deployed, you'll see the profile for the device in **System Preferences** > **Profiles >**. ![Status on client screenshot](images/MDATP_25_StatusOnClient.png) -After the policy is applied, you'll see the Microsoft Defender ATP icon in the macOS status bar in the top-right corner. +Once the policy is applied, you'll see the Microsoft Defender ATP icon in the macOS status bar in the top-right corner. ![Microsoft Defender icon in status bar screenshot](images/MDATP_Icon_Bar.png) @@ -204,4 +204,33 @@ See [Logging installation issues](microsoft-defender-atp-mac-resources.md#loggin ## Uninstallation -See [Uninstalling](microsoft-defender-atp-mac-resources.md#uninstalling) for details on how to remove Microsoft Defender ATP for Mac from client devices. \ No newline at end of file +This method is based on the script described in [Uninstalling](microsoft-defender-atp-mac-resources.md#uninstalling). + +### Script + +Create a script in **Settings > Computer Management > Scripts**. + +This script removes Microsoft Defender ATP from the /Applications directory: + +```bash + echo "Is WDAV installed?" + ls -ld '/Applications/Microsoft Defender ATP.app' 2>/dev/null + + echo "Uninstalling WDAV..." + rm -rf '/Applications/Microsoft Defender ATP.app' + + echo "Is WDAV still installed?" + ls -ld '/Applications/Microsoft Defender ATP.app' 2>/dev/null + + echo "Done!" +``` + +![Microsoft Defender uninstall screenshot](images/MDATP_26_Uninstall.png) + +### Policy + +Your policy should contain a single script: + +![Microsoft Defender uninstall script screenshot](images/MDATP_27_UninstallScript.png) + +Configure the appropriate scope in the **Scope** tab to specify the machines that will receive this policy. diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md index 694e2e86ce..55cd7868bf 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md @@ -32,12 +32,12 @@ If you can reproduce a problem, please increase the logging level, run the syste 1. Increase logging level: -```bash + ```bash mavel-mojave:~ testuser$ mdatp --log-level verbose Creating connection to daemon Connection established Operation succeeded -``` + ``` 2. Reproduce the problem @@ -77,35 +77,6 @@ There are several ways to uninstall Microsoft Defender ATP for Mac. Please note - ```sudo rm -rf '/Applications/Microsoft Defender ATP'``` -### With a script - -Create a script in **Settings > Computer Management > Scripts**. - -![Microsoft Defender uninstall screenshot](images/MDATP_26_Uninstall.png) - -For example, this script removes Microsoft Defender ATP from the /Applications directory: - -```bash - echo "Is WDAV installed?" - ls -ld '/Applications/Microsoft Defender ATP.app' 2>/dev/null - - echo "Uninstalling WDAV..." - rm -rf '/Applications/Microsoft Defender ATP.app' - - echo "Is WDAV still installed?" - ls -ld '/Applications/Microsoft Defender ATP.app' 2>/dev/null - - echo "Done!" -``` - -### With a JAMF policy - -If you are running JAMF, your policy should contain a single script: - -![Microsoft Defender uninstall script screenshot](images/MDATP_27_UninstallScript.png) - -Configure the appropriate scope in the **Scope** tab to specify the machines that will receive this policy. - ## Configuring from the command line Important tasks, such as controlling product settings and triggering on-demand scans, can be done from the command line: diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md index c5f47ef87a..cc2cb1efad 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md @@ -20,9 +20,9 @@ ms.topic: conceptual # Microsoft Defender Advanced Threat Protection for Mac >[!IMPORTANT] ->This topic relates to the pre-release version of Microsoft Defender Advanced Threat Protection (ATP) for Mac. Microsoft Defender ATP for Mac is not yet widely available, and this topic only applies to enterprise customers who have been accepted into the preview program. Microsoft makes no warranties, express or implied, with respect to the information provided here. +>This topic relates to the pre-release version of Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac. Microsoft Defender ATP for Mac is not yet widely available, and this topic only applies to enterprise customers who have been accepted into the preview program. Microsoft makes no warranties, express or implied, with respect to the information provided here. -This topic describes how to install and use Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac. +This topic describes how to install and use Microsoft Defender ATP for Mac. ## What’s new in the public preview @@ -40,6 +40,7 @@ Since opening the limited preview, we've been working non-stop to enhance the pr ## Installing and configuring There are several methods and deployment tools that you can use to install and configure Microsoft Defender ATP for Mac. + In general you'll need to take the following steps: - Ensure you have a Microsoft Defender ATP subscription and have access to the Microsoft Defender ATP Portal @@ -67,7 +68,7 @@ You should also have access to Microsoft Defender Security Center. Beta versions of macOS are not supported. > [!CAUTION] -> Running other third-party endpoint protection along with Microsoft Defender ATP for Mac may lead to performance problems and unpredictable side effects. +> Running other third-party endpoint protection alongside Microsoft Defender ATP for Mac may lead to performance problems and unpredictable side effects. After you've enabled the service, you may need to configure your network or firewall to allow outbound connections between it and your endpoints. @@ -75,16 +76,23 @@ The following table lists the services and their associated URLs that your netwo | Service | Description | URL | | -------------- | ------------------------------------ | -------------------------------------------------------------------- | -| ATP | Advanced threat protection service | `https://x.cp.wd.microsoft.com`, `https://cdn.x.cp.wd.microsoft.com` | +| ATP | Advanced threat protection service | [https://x.cp.wd.microsoft.com](https://x.cp.wd.microsoft.com), [https://cdn.x.cp.wd.microsoft.com](https://cdn.x.cp.wd.microsoft.com) | -To test that a connection is not blocked, open `https://x.cp.wd.microsoft.com/api/report` and `https://cdn.x.cp.wd.microsoft.com/ping` in a browser, or run the following command in Terminal: +To test that a connection is not blocked, open [https://x.cp.wd.microsoft.com/api/report](https://x.cp.wd.microsoft.com/api/report) and [https://cdn.x.cp.wd.microsoft.com/ping]([https://cdn.x.cp.wd.microsoft.com/ping) in a browser. + +If you prefer the command line, you can also check the connection by running the following command in Terminal: ```bash - mavel-mojave:~ testuser$ curl -w ' %{url_effective}\n' 'https://x.cp.wd.microsoft.com/api/report' 'https://cdn.x.cp.wd.microsoft.com/ping' - OK https://x.cp.wd.microsoft.com/api/report - OK https://cdn.x.cp.wd.microsoft.com/ping +testuser$ curl -w ' %{url_effective}\n' 'https://x.cp.wd.microsoft.com/api/report' 'https://cdn.x.cp.wd.microsoft.com/ping' ``` +The output from this command should look like this: + +> `OK https://x.cp.wd.microsoft.com/api/report` +> +> `OK https://cdn.x.cp.wd.microsoft.com/ping` + + We recommend that you keep [System Integrity Protection](https://support.apple.com/en-us/HT204899) (SIP) enabled on client machines. SIP is a built-in macOS security feature that prevents low-level tampering with the OS, and is enabled by default. ## Resources diff --git a/windows/security/threat-protection/windows-defender-atp/user-roles.md b/windows/security/threat-protection/windows-defender-atp/user-roles.md new file mode 100644 index 0000000000..d007b7028e --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/user-roles.md @@ -0,0 +1,86 @@ +--- +title: Create and manage roles for role-based access control +description: Create roles and define the permissions assigned to the role as part of the role-based access control implementation +keywords: user roles, roles, access rbac +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +--- + +# Create and manage roles for role-based access control +**Applies to:** + +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + + +>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-roles-abovefoldlink) + +## Create roles and assign the role to an Azure Active Directory group +The following steps guide you on how to create roles in Windows Defender Security Center. It assumes that you have already created Azure Active Directory user groups. + +1. In the navigation pane, select **Settings > Roles**. + +2. Click **Add role**. + +3. Enter the role name, description, and permissions you'd like to assign to the role. + + - **Role name** + - **Description** + - **Permissions** + - **View data** - Users can view information in the portal. + - **Alerts investigation** - Users can manage alerts, initiate automated investigations, collect investigation packages, manage machine tags, and export machine timeline. + - **Active remediation actions** - Users can take response actions and approve or dismiss pending remediation actions. + - **Manage portal system settings** - Users can configure storage settings, SIEM and threat intel API settings (applies globally), advanced settings, automated file uploads, roles and machine groups. + + >[!NOTE] + >This setting is only available in the Windows Defender ATP administrator (default) role. + + - **Manage security settings** - Users can configure alert suppression settings, manage allowed/blocked lists for automation, manage folder exclusions for automation, onboard and offboard machines, and manage email notifications. + +4. Click **Next** to assign the role to an Azure AD group. + +5. Use the filter to select the Azure AD group that you'd like to add to this role. + +6. Click **Save and close**. + +7. Apply the configuration settings. + + +After creating roles, you'll need to create a machine group and provide access to the machine group by assigning it to a role that you just created. + + +>[!NOTE] +>The Windows Defender ATP administrator (default) role has administrator permissions with exclusive access to all machine groups. Administrator permissions cannot be assigned to any other role. + + +## Edit roles + +1. Select the role you'd like to edit. + +2. Click **Edit**. + +3. Modify the details or the groups that are assigned to the role. + +4. Click **Save and close**. + +## Delete roles + +1. Select the role you'd like to delete. + +2. Click the drop-down button and select **Delete role**. + + + +## Related topics +- [User basic permissions to access the portal](../microsoft-defender-atp/basic-permissions.md) +- [Create and manage machine groups](../microsoft-defender-atp/machine-groups.md) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md index b6733d5ed0..b66723f6ca 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md @@ -57,12 +57,15 @@ This section covers requirements for each feature in Windows Defender EG. | ![supported](./images/ball_50.png) | Supported | | ![supported, full reporting](./images/ball_full.png) | Recommended. Includes full, automated reporting into the Microsoft Defender ATP console. Provides additional cloud-powered capabilities, including the Network protection ability to block apps from accessing low-reputation websites and an attack surface reduction rule that blocks executable files that meet age or prevalence criteria.| -| Feature | Windows 10 Home | Windows 10 Professional | Windows 10 E3 | Windows 10 E5 | -| ----------------- | :------------------------------------: | :---------------------------: | :-------------------------: | :--------------------------------------: | -| Exploit protection | ![supported](./images/ball_50.png) | ![supported](./images/ball_50.png) | ![supported, enhanced](./images/ball_50.png) | ![supported, full reporting](./images/ball_full.png) | -| Attack surface reduction rules | ![not supported](./images/ball_empty.png) | ![not supported](./images/ball_empty.png) | ![supported, limited reporting](./images/ball_50.png) | ![supported, full reporting](./images/ball_full.png) | -| Network protection | ![not supported](./images/ball_empty.png) | ![not supported](./images/ball_empty.png) | ![supported, limited reporting](./images/ball_50.png) | ![supported, full reporting](./images/ball_full.png) | -| Controlled folder access | ![supported, limited reporting](./images/ball_50.png) | ![supported, limited reporting](./images/ball_50.png) | ![supported, limited reporting](./images/ball_50.png) | ![supported, full reporting](./images/ball_full.png) | +| Feature | Windows 10 Home | Windows 10 Professional | Windows 10 Enterprise | Windows 10 with Enterprise E3 subscription | Windows 10 with Enterprise E5 subscription | +| ----------------- | :------------------------------------: | :---------------------------: | :-------------------------: | :--------------------------------------: | :--------------------------------------: | +| Exploit protection | ![supported](./images/ball_50.png) | ![supported](./images/ball_50.png) | ![supported, enhanced](./images/ball_50.png) | ![supported, enhanced](./images/ball_50.png) | ![supported, full reporting](./images/ball_full.png) | +| Attack surface reduction rules | ![not supported](./images/ball_empty.png) | ![not supported](./images/ball_empty.png) | ![supported, limited reporting](./images/ball_50.png) | ![supported, limited reporting](./images/ball_50.png) | ![supported, full reporting](./images/ball_full.png) | +| Network protection | ![not supported](./images/ball_empty.png) | ![not supported](./images/ball_empty.png) | ![supported, limited reporting](./images/ball_50.png) | ![supported, limited reporting](./images/ball_50.png) | ![supported, full reporting](./images/ball_full.png) | +| Controlled folder access | ![supported, limited reporting](./images/ball_50.png) | ![supported, limited reporting](./images/ball_50.png) | ![supported, limited reporting](./images/ball_50.png) | ![supported, limited reporting](./images/ball_50.png) | ![supported, full reporting](./images/ball_full.png) | + +>[!NOTE] +> The [Identity & Threat Protection package](https://www.microsoft.com/microsoft-365/blog/2019/01/02/introducing-new-advanced-security-and-compliance-offerings-for-microsoft-365/), available for Microsoft 365 E3 customers, provides the same Windows Defender ATP capabilities as the Enterprise E5 subscription. The following table lists which features in Windows Defender EG require enabling [real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) from Windows Defender Antivirus. diff --git a/windows/whats-new/images/Multi-app_kiosk_inFrame.png b/windows/whats-new/images/Multi-app_kiosk_inFrame.png index 7a1928501e..9dd28db197 100644 Binary files a/windows/whats-new/images/Multi-app_kiosk_inFrame.png and b/windows/whats-new/images/Multi-app_kiosk_inFrame.png differ diff --git a/windows/whats-new/images/SingleApp_contosoHotel_inFrame@2x.png b/windows/whats-new/images/SingleApp_contosoHotel_inFrame@2x.png index f329d74d3e..a7b20a039c 100644 Binary files a/windows/whats-new/images/SingleApp_contosoHotel_inFrame@2x.png and b/windows/whats-new/images/SingleApp_contosoHotel_inFrame@2x.png differ diff --git a/windows/whats-new/whats-new-windows-10-version-1803.md b/windows/whats-new/whats-new-windows-10-version-1803.md index 58fe6b55e8..2ecf0408ac 100644 --- a/windows/whats-new/whats-new-windows-10-version-1803.md +++ b/windows/whats-new/whats-new-windows-10-version-1803.md @@ -22,11 +22,8 @@ This article lists new and updated features and content that are of interest to The following 3-minute video summarizes some of the new features that are available for IT Pros in this release. -  - > [!video https://www.microsoft.com/en-us/videoplayer/embed/RE21ada?autoplay=false] - ## Deployment ### Windows Autopilot @@ -135,7 +132,7 @@ Portions of the work done during the offline phases of a Windows update have bee ### Co-management -Intune and System Center Configuration Manager policies have been added to enable hybrid Azure AD-joined authentication. Mobile Device Management (MDM) has added over 150 new policies and settings in this release, including the [MDMWinsOverGP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-controlpolicyconflict) policy, to enable easier transition to cloud-based management. +**Intune** and **System Center Configuration Manager** policies have been added to enable hybrid Azure AD-joined authentication. Mobile Device Management (MDM) has added over 150 new policies and settings in this release, including the [MDMWinsOverGP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-controlpolicyconflict) policy, to enable easier transition to cloud-based management. For more information, see [What's New in MDM enrollment and management](https://docs.microsoft.com/windows/client-management/mdm/new-in-windows-mdm-enrollment-management#whatsnew1803) @@ -231,8 +228,8 @@ Support in [Windows Defender Application Guard](#windows-defender-application-gu ## See Also -[Windows 10 Features](https://www.microsoft.com/windows/features): Review general information about Windows 10 features.
    -[What's New in Windows 10](https://docs.microsoft.com/windows/whats-new/): See what’s new in other versions of Windows 10.
    -[What's new in Windows 10, version 1709](https://docs.microsoft.com/windows-hardware/get-started/what-s-new-in-windows): See what’s new in Windows 10 hardware.
    -[Windows 10 Fall Creators Update Next Generation Security](https://www.youtube.com/watch?v=JDGMNFwyUg8): YouTube video about Windows Defender ATP in Windows 10, version 1709. +- [Windows 10 Features](https://www.microsoft.com/windows/features): Review general information about Windows 10 features. +- [What's New in Windows 10](https://docs.microsoft.com/windows/whats-new/): See what’s new in other versions of Windows 10. +- [What's new in Windows 10, version 1709](https://docs.microsoft.com/windows-hardware/get-started/what-s-new-in-windows): See what’s new in Windows 10 hardware. +- [Windows 10 Fall Creators Update Next Generation Security](https://www.youtube.com/watch?v=JDGMNFwyUg8): YouTube video about Windows Defender ATP in Windows 10, version 1709. diff --git a/windows/whats-new/whats-new-windows-10-version-1809.md b/windows/whats-new/whats-new-windows-10-version-1809.md index f50ed452fa..1f2bdde7f2 100644 --- a/windows/whats-new/whats-new-windows-10-version-1809.md +++ b/windows/whats-new/whats-new-windows-10-version-1809.md @@ -78,6 +78,8 @@ To achieve this: 3. Enable the Autopilot [Enrollment Status Page](https://docs.microsoft.com/windows/deployment/windows-autopilot/enrollment-status) (ESP) for these devices. - **IMPORTANT**: If the ESP is not enabled, the policy will not apply before encryption starts. +For more information, see [Setting the BitLocker encryption algorithm for Autopilot devices](https://docs.microsoft.com/windows/deployment/windows-autopilot/bitlocker). + ### Windows Defender Application Guard Improvements Windows Defender Application Guard (WDAG) introduced a new user interface inside **Windows Security** in this release. Standalone users can now install and configure their Windows Defender Application Guard settings in Windows Security without needing to change registry key settings. @@ -173,7 +175,7 @@ Microsoft Edge kiosk mode running in single-app assigned access has two kiosk ty Microsoft Edge kiosk mode running in multi-app assigned access has two kiosk types. >[!NOTE] ->The following Microsoft Edge kiosk mode types cannot be setup using the new simplified assigned access configuration wizard in Windows 10 Settings. +>The following Microsoft Edge kiosk mode types cannot be set up using the new simplified assigned access configuration wizard in Windows 10 Settings. **Public browsing** supports multi-tab browsing and runs InPrivate mode with minimal features available. In this configuration, Microsoft Edge can be one of many apps available. Users can close and open multiple InPrivate mode windows. diff --git a/windows/whats-new/whats-new-windows-10-version-1903.md b/windows/whats-new/whats-new-windows-10-version-1903.md index c77493d952..41a0e83637 100644 --- a/windows/whats-new/whats-new-windows-10-version-1903.md +++ b/windows/whats-new/whats-new-windows-10-version-1903.md @@ -120,7 +120,7 @@ The draft release of the [security configuration baseline settings](https://blog - [Windows Hello FIDO2 certification](https://fidoalliance.org/microsoft-achieves-fido2-certification-for-windows-hello/): Windows Hello is now a FIDO2 Certified authenticator and enables password-less login for websites supporting FIDO2 authentication, such as Microsoft account and Azure AD. - [Streamlined Windows Hello PIN reset experience](https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-videos#windows-hello-for-business-forgotten-pin-user-experience): Microsoft account users have a revamped Windows Hello PIN reset experience with the same look and feel as signing in on the web. -- Sign-in with [Password-less](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/passwordless-strategy) Microsoft accounts: Sign in to Windows 10 with a phone number account. Then use Windows Hello for an even easier sign-in experience! i +- Sign-in with [Password-less](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/passwordless-strategy) Microsoft accounts: Sign in to Windows 10 with a phone number account. Then use Windows Hello for an even easier sign-in experience! - [Remote Desktop with Biometrics](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-features#remote-desktop-with-biometrics): Azure Active Directory and Active Directory users using Windows Hello for Business can use biometrics to authenticate to a remote desktop session. ### Security management